It’s actually possible for entities with vast computing resources – such as the NSA and major national governments - to compromise commonly used Diffie-Hellman key exchange groups, so it’s time for businesses to switch to something else like elliptic curve cryptography, researchers say.
“It’s been recommended to move from 1024-bit [encryption] for a long time, and now there are very concrete risks of not doing that,” says Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania who is an author of a paper titled “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice”.
“It’s been recommended to move from 1024-bit [encryption] for a long time, and now there are very concrete risks of not doing that,” says Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania. Credit: UPenn
The strength of Diffie-Hellman relies on the fact that doing the math needed to break the secrets of the key exchange took so long that even with the fastest computers the crackers would be long dead before they succeeded.
Now Heninger and 13 colleagues have demonstrated it’s possible with current computer technology to break the Diffie-Hellman key exchange used with many cryptographic protocols, and as computing costs go down, more groups will be able to do so, exposing encryption keys to attackers.
They conclude from stolen documents released by Edward Snowden that NSA has likely already defeated 1024-bit Diffie-Hellman to decrypt IPSec connections “at significant scale.” Governments of technically sophisticated countries may have done so, too, they say.
J. Alex Halderman, Associate Professor of Computer Science and Engineering at the University of Michigan, advocates for elliptic curve encryption. Credit: UMichigan
As a result, businesses that think they might be targets of groups that have the money and know-how should at least abandon 1024-bit Diffie-Hellman for 2048-bit, says J. Alex Halderman, another author of the paper and an Associate Professor of Computer Science and Engineering at the University of Michigan. Better yet, go to elliptic curve encryption which so far doesn’t look like it will be broken anytime soon. Stronger and stronger bit-lengths for Diffie-Hellman will eventually be overcome by less expensive computing power, he says.
The problem for businesses is that weaker encryption is tucked in all over the place in corporate networks, he says. “Diffie-Hellman in the form we find to be weak is deeply embedded in protocols that devices and systems depend on,” Halderman says. “You can disable1024-bit but it leads to compatibility problems.” Protocols, applications and devices may not be readily upgradable to 2048-bit, he says.
Sign up for Computerworld eNewsletters.