After the new revelations every site who's using SSL should be using Perfect Forward Secrecy with it, too. Right now, only a few known companies like Google (only for the search engine probably), DuckDuckGo, and Ixquick/Startpage are using it.
Considering NSA is collecting as many keys as possible, let's at least make their job exponentially harder by encrypting every session and every message with a new key with PFS. It's the least these companies can do, if they're serious about their users' privacy.
Also, as Bruce is saying - use 3072 bit or even 4096 bit RSA keys (or better alternatives) and AES-256 as soon as possible (hopefully within a year).
Whilst it makes perfect sense, it's an exercise in frustration. An asymmetric key is usually used to protect a shared symmetric key. Generating a strong asymmetric key on a phone, for example, takes bloody ages. As ever, strong security comes at the expense of usability.
The idea that we can break public key encryption and go back to shared secrets doesn't solve the problem for which public key encryption is the answer, namely sharing the secrets. Schneier's piece would be a little more helpful if this were considered. Going back to simple shared secrets means that one cannot securely engage in something like ecommerce, and so breaking public key encryption would totally break the way we use encryption today.
Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily.
There are valid and sane reasons to dismiss RSA. Keys are becoming larger and larger for example.
What Bruce doesn't say is that the NSA made modifications to DES S-Boxes so that it can RESIST differential cryptanalysis better.
But overall I agree, I think the "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." is just vulgarization for the people voting budget.
It doesn't matter if you break the crypto or the implementation as long as you provide intelligence.
"What Bruce doesn't say is that the NSA made modifications to DES S-Boxes so that it can RESIST differential cryptanalysis better."
That was then. Back then, the NSA's clear mission was to help prevent the Soviets from winning, and that included protecting our communications (still part of their remit). Now ... it's not so clear.
BTW, according to Wikipedia IBM independently discovered differential cryptography and kept that secret at the NSA's request, so IBM was potentially in a position to understand the NSA's requested changes, or just plain worked with it on them.
It was intended for hardware implementations, and perhaps they didn't do a good job of factoring in Moore's law, which then was only a decade old and had a lot more skeptics. And microprocessors were still quite new.
There was a strong export control regime back then, and to the extent DES was implemented in hardware it was more effective.
Getting back to adversaries, official and unofficial, to the extend they aren't nation states, or not very wealthy and technically sophisticated ones, the tradeoffs are significantly different today. We can be very sure they're not worried about al-Qaeda brute forcing a secretly weakened algorithm as long as it's not too weak (i.e. requires a lot more than a handful of machines with GPUs or FPGAs).
Same might be true for various nation states as long as they don't get patronage by the Russians or Chinese Communists, and we might have an idea of the capabilities of the latter two frenemies (I sure hope we do!).
On a different note, considering the popular myth that government by default is incompetent, this is a remarkable degree of competence, surpassing even the private sector.
A brute with a mallet can cause a lot of damage. And yet he is not master fencer.
NSA have a lot of brute force behind their backs. They have a rubber stamping court, are allowed to read existing laws as a weak guidelines, almost unlimited budget and the lucky fact that the majority of the world's IT IP is located in the hands of american companies.
It will be hard to not produce results with all that.
Governments usually are competent in their own way. What they usually lack is subtlety and elegance.
They've just "bought away" the incompetence. Out of the 11,000 employees and $11 billion/year being invested in breaking crypto, there's bound to be some good progress there.
> I think it extraordinarily unlikely that the NSA has built a quantum computer capable of performing the magnitude of calculation necessary to do this, but it's possible.
.
I think, that from the very first moment a quantum computer could be built (given an extraordinary amount of resources) NSA set this to their highest priority, and tried to do so, given what this system could provide them, so I am pretty sure that by now they have already some prototype working and growing.
Or do you think they're saving money? Or not trying to draw all possible funds to this cause considering how much appeal its computations could exercise for exampe for US foreign economy?
One point that is made more often is: "It's very probable that the NSA has newer techniques that remain undiscovered in academia."
How does one go around maintaining such an omerta?
Most cryptographic math is not that hard that it requires a team to remember. So anyone working in this field at NSA could (if true) become professor by working out that math in academia after his/her career at NSA. Or is there such strong commitment to secrecy that not one former NSA cryptographer would try to follow that route?
The Brits invented Sonar in 1916, and the Admiralty kept it secret for long enough that when World War 2 broke out, they had it fitted on 5 types of ships as part of an integrated anti-submarine suite; they were the only ones that had this operational capability.
If you were a scientist who worked on that project, and in 1920 you published "On Quartz-Based Range Detection In Water", you would have definitely gone to jail.
(Or, of course, the Enigma cracking -- but that's not really the best example; it wasn't a long-maintained operational advantage consisting of abilities the rest of the world didn't have, but rather an emergency skunk-works that got jump-started by the Poles; it did, however, have a pretty good record of secrecy after the fact!)
You make the lives of people revealing secrets pretty unpleasant, and do so publicly. This acts as a deterrent to others. (This phenomena is well known and probably has a name.)
See Peter Wright, David Shaylor[1], or Katharine Gunn.
The other edge of that sword is to use the loyalty of your workers, and keep reminding them of the good work that they're doing.
Don't forget that GCHQ keeps secrets, even if those are known to the world at large - they kept Diffie-Hellman style key exchange secret for many years, and they kept RSA style public key encryption secret for many years, even though both became very well known and used. GCHQ had these for a few years before DH and RSA developed them.
> Or is there such strong commitment to secrecy that not one former NSA cryptographer would try to follow that route?
Imagine a bunch of people working together in a secret institution. One of them says something, which causes another of them to develop an algorithm. The group tries to attack this, and it feels good. As a group they've done some work. Then one of the group leaves and publishes this algo. Well, what's the benefit to that person? What do they get out of it? Because it seems they'd be generating a bunch of bad feeling.
> So anyone working in this field at NSA could (if true) become professor
GCHQ / NSA employ professor grade mathematicians already. Those mathematicians might not publish much publicly, and they might not have the formal title, but they do have the skills.
It is an interesting question: How do we make sure our staff keep secrets, for as long as we need secrets to be kept?
Especially when we take into account the apparent rise in dementia-type illnesses. I wonder if we're going to see an equal rise in secrecy-vetted nursing homes?
They probably have a rule against it- requiring you to ask permission at the least. But yeah, the commitment is strong. You really think that what you are doing is helping and important, right up until you don't.
Considering NSA is collecting as many keys as possible, let's at least make their job exponentially harder by encrypting every session and every message with a new key with PFS. It's the least these companies can do, if they're serious about their users' privacy.
Also, as Bruce is saying - use 3072 bit or even 4096 bit RSA keys (or better alternatives) and AES-256 as soon as possible (hopefully within a year).