If you pay attention to the allegations that Edward Snowden made against the NSA, you’ve probably heard that they (the NSA) can decrypt and read a decent amount of encrypted web traffic. That includes VPNs as well as HTTPS and SSH traffic.
On October 14, there was a blog post released on Freedom to Tinker that outlines how they could do it. And the reason it’s possible is frightening.
Let’s face it, as human beings, we’re lazy. We like to do things in the easiest way that they will work. Admittedly, sometimes that’s the right way to approach things. There’s no sense in making things more difficult than they need to be. On the other hand, there is such a thing as not doing the job right. The coders implementing the encryption weren’t making it too difficult for the NSA to guess which prime number the encryption was based on.
So after you understand the Diffie-Hellman key exchange, you understand how important the prime number is. Well, apparently in human laziness and ease of coding, programmers have been using standard prime numbers and sometimes even hard coding the prime numbers into their system. That means, every single communication starts with the same number.If the NSA knows that number, they can “perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.”
Now cracking all the possible combinations would take some massive computing power and a lot of time. Then you’re forced to wonder how long they’ve been actually working on it. And when you think about the following paragraph, it all starts to make sense.
Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.
Once they’ve cracked it once, they don’t have to do it again. They’ve already got access. And one has to know that they aren’t stopping to rest on their laurels, they’re going to be after all the cryptographic combinations of all the large prime numbers they can crack.
Your data, if transferred using Diffie-Hellman, isn’t safe. And really, Diffie-Hellman is the backbone of internet security. Think about that next time you choose to buy something online or send a private message without encrypting it yourself.