Crypto researchers: Time to use something better than 1024-bit encryption

It's actually possible for entities with vast computing resources – such as the NSA and major national governments - to compromise commonly used Diffie-Hellman key exchange groups, so it's time for businesses to switch to something else like elliptic curve cryptography, researchers say.

"It's been recommended to move from 1024-bit [encryption] for a long time, and now there are very concrete risks of not doing that," says Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania who is an author of a paper titled "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice".
The strength of Diffie-Hellman relies on the fact that doing the math needed to break the secrets of the key exchange took so long that even with the fastest computers the crackers would be long dead before they succeeded.
Now Heninger and 13 colleagues have demonstrated it's possible with current computer technology to break the Diffie-Hellman key exchange used with many cryptographic protocols, and as computing costs go down, more groups will be able to do so, exposing encryption keys to attackers.

They conclude from stolen documents released by Edward Snowden that NSA has likely already defeated 1024-bit Diffie-Hellman to decrypt IPSec connections "at significant scale." Governments of technically sophisticated countries may have done so, too, they say.
As a result, businesses that think they might be targets of groups that have the money and know-how should at least abandon 1024-bit Diffie-Hellman for 2048-bit, says J. Alex Halderman, another author of the paper and an Associate Professor of Computer Science and Engineering at the University of Michigan. Better yet, go to elliptic curve encryption which so far doesn't look like it will be broken anytime soon. Stronger and stronger bit-lengths for Diffie-Hellman will eventually be overcome by less expensive computing power, he says.

The problem for businesses is that weaker encryption is tucked in all over the place in corporate networks, he says. "Diffie-Hellman in the form we find to be weak is deeply embedded in protocols that devices and systems depend on," Halderman says. "You can disable1024-bit but it leads to compatibility problems." Protocols, applications and devices may not be readily upgradable to 2048-bit, he says.

"It's a long-term project," but accomplishing it should be on the IT priority list, he says.

In Diffie-Hellman, endpoints that want to create an encryption key in order to secure connections between them first exchange keying information that includes large prime numbers. These formalized groups of primes are well established and some are known to be more widely used than others, Halderman says.
Performing some arduous math on a large prime p in these groups can eventually break the Diffie-Hellman exchange and the keys they generate, but the time involved is too great to make the attempt practical for 1024-bit groups – until now. "A single large precomputation on p can be used to efficiently break all Diffie-Hellman exchanges made with that prime," the researchers write, and such calculations are "plausibly within the resources of state-level attackers."

Because some Diffie-Hellman groups are widely used, carefully picking the right ones to break can make vulnerable the connections made by a large number of devices, the researchers say. According to their analysis, "an attacker who could perform precomputations for ten1024-bit groups could passively decrypt traffic to about 66% of IKE VPNs, 26% of SSH servers, 16% of SMTP servers and 24% of popular HTTPS sites."

The paper makes more concrete a warning put out years ago by the National Institute of Standards and Technology. "This is a warning," Heninger says. "NIST recommended moving from 1024 by 2010; it's now 2015.

In order to make the transition, the researchers say businesses need to:

*evaluate how difficult it will be to move away from 1024-bit.

*stop building apps and devices that use 1024-bit

* get rid of legacy 1024-bit gear as it becomes feasible

* reconfigure everything that can be reconfigured to make the encryption stronger