The algorithm used for most data encryption is Diffie-Hellman which requires that both parties have a key which, in this case, is a large prime number. It seems that this has been hacked by the NSA and they are now able to read VPN traffic as well as some HTTPS and SSH connections.
This had been alluded to in this 2012 article in Wired and more recently, Snowden has leaked similar information.
From the paper (PDF file):
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
ABSTRACT
We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to “export-grade” Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm.
After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups.
We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
Time to strengthen your keys or switch to a different algorithm... For casual communication between a few people, one-time pads are a wonderful way to go - you can make them yourself (here and here).
Leave a comment