<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><a href="https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/" class="">https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/</a><div class=""><br class=""></div><div class="">The blog post is speculating on how the NSA could use a massive computer to calculate the equivalent of rainbow tables for breaking the ephemeral DH keys used in about 2/3rds of VPNs.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">There are a number of reasons we got to this point. One of them is that the TLS ephemeral key negotiation is broken. I would ask people here to pressure IETF to fix it.</div><div class=""><br class=""></div><div class="">The reason we have a problem is that as things stand in TLS, the long term RSA-2048 credentials are only used to calculate a master secret which is then used to authenticate the parameters for the ephemeral DH key negotiation. And only the result of the ephemeral key negotiation is used to derive the session keys. So if the ephemeral key negotiation is weak, the traffic can be read.</div><div class=""><br class=""></div><div class="">A much stronger approach would be to use the master secret and the ephemeral secret to derive session keys. Feeding both into a hash function ensures that an attacker has to break both the long term RSA2048 credentials and the short term DH1024 key to decrypt the traffic.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">A good time to fix this will be when CFRG announces its new cryptographic algorithms for ECC.</div></body></html>