Crypto researchers: Time to use something better than 1024-bit encryption

It’s possible for entities with vast computing resources – such as the NSA and major national governments - to compromise commonly used Diffie-Hellman keys, and over time more groups will be able to afford cracking them as computing costs go down.

It’s actually possible for entities with vast computing resources – such as the NSA and major national governments - to compromise commonly used Diffie-Hellman key exchange groups, so it’s time for businesses to switch to something else like elliptic curve cryptography, researchers say.

“It’s been recommended to move from 1024-bit [encryption] for a long time, and now there are very concrete risks of not doing that,” says Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania who is an author of a paper titled “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice”.

nadia Heninger UPenn

“It’s been recommended to move from 1024-bit [encryption] for a long time, and now there are very concrete risks of not doing that,” says Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania

The strength of Diffie-Hellman relies on the fact that doing the math needed to break the secrets of the key exchange took so long that even with the fastest computers the crackers would be long dead before they succeeded.

Now Heninger and 13 colleagues have demonstrated it’s possible with current computer technology to break the Diffie-Hellman key exchange used with many cryptographic protocols, and as computing costs go down, more groups will be able to do so, exposing encryption keys to attackers.

They conclude from stolen documents released by Edward Snowden that NSA has likely already defeated 1024-bit Diffie-Hellman to decrypt IPSec connections “at significant scale.” Governments of technically sophisticated countries may have done so, too, they say.

halderman UMichigan

J. Alex Halderman, Associate Professor of Computer Science and Engineering at the University of Michigan, advocates for elliptic curve encryption

As a result, businesses that think they might be targets of groups that have the money and know-how should at least abandon 1024-bit Diffie-Hellman for 2048-bit, says J. Alex Halderman, another author of the paper and an Associate Professor of Computer Science and Engineering at the University of Michigan. Better yet, go to elliptic curve encryption which so far doesn’t look like it will be broken anytime soon. Stronger and stronger bit-lengths for Diffie-Hellman will eventually be overcome by less expensive computing power, he says.

The problem for businesses is that weaker encryption is tucked in all over the place in corporate networks, he says. “Diffie-Hellman in the form we find to be weak is deeply embedded in protocols that devices and systems depend on,” Halderman says. “You can disable1024-bit but it leads to compatibility problems.” Protocols, applications and devices may not be readily upgradable to 2048-bit, he says.

“It’s a long-term project,” but accomplishing it should be on the IT priority list, he says.

In Diffie-Hellman, endpoints that want to create an encryption key in order to secure connections between them first exchange keying information that includes large prime numbers. These formalized groups of primes are well established and some are known to be more widely used than others, Halderman says.

Performing some arduous math on a large prime p in these groups can eventually break the Diffie-Hellman exchange and the keys they generate, but the time involved is too great to make the attempt practical for 1024-bit groups – until now. “A single large precomputation on p can be used to efficiently break all Diffie-Hellman exchanges made with that prime,” the researchers write, and such calculations are “plausibly within the resources of state-level attackers.”

Because some Diffie-Hellman groups are widely used, carefully picking the right ones to break can make vulnerable the connections made by a large number of devices, the researchers say. According to their analysis, “an attacker who could perform precomputations for ten1024-bit groups could passively decrypt traffic to about 66% of IKE VPNs, 26% of SSH servers, 16% of SMTP servers and 24% of popular HTTPS sites.”

The paper makes more concrete a warning put out years ago by the National Institute of Standards and Technology. “This is a warning,” Heninger says. “NIST recommended moving from 1024 by 2010; it’s now 2015.

In order to make the transition, the researchers say businesses need to:

*evaluate how difficult it will be to move away from 1024-bit.

*stop building apps and devices that use 1024-bit

* get rid of legacy 1024-bit gear as it becomes feasible

* reconfigure everything that can be reconfigured to make the encryption stronger

Join the CSO newsletter!

Error: Please check your email address.

More about NSASSHTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place