For years, privacy advocates have pushed developers of websites, virtual private network apps, and other cryptographic software to adopt the Diffie-Hellman cryptographic key exchange as a defence against surveillance from the US National Security Agency and other state-sponsored spies. Now, researchers are renewing their warning that a serious flaw in the way the key exchange is implemented is allowing the NSA to break and eavesdrop on trillions of encrypted connections.
The cost for adversaries is by no means modest. For commonly used 1024-bit keys, it would take about a year and cost a “few hundred million dollars” to crack just one of the extremely large prime numbers that form the starting point of a Diffie-Hellman negotiation. But it turns out that only a few primes are commonly used, putting the price well within the NSA’s $11 billion (£7 billion) per year budget dedicated to “groundbreaking cryptanalytic capabilities.”
View full story
ORIGINAL SOURCE: Dan Goodin, Ars Technica