Within five years the math for cracking encryption algorithms could become so efficient that it may render today's commonly used RSA public key cryptography algorithm obsolete, Black Hat attendees were told.
While it might take longer, the end of RSA as an effective tool is inevitable, says Alex Stamos, CTO of the Artemis division of NCC Group. "It almost certainly will happen before we retire," he told the group attending his briefing in Las Vegas.
He likened the situation to a scene in the science fiction movie Deep Impact. "We're in the movie and the general has given Morgan Freeman the picture that says the asteroid has a 10% chance of hitting the Earth," Stamos says. That's not dire, but it warrants taking a look at what the alternatives are, he says.
The most likely choice right now is elliptical curve cryptography which is more complex mathematically to unravel than RSA, and businesses should take immediate steps to advance an orderly shift to the stronger scheme. He recommends:
- Use ECC certificates wherever possible.
- Prod vendors to support TLS 1.2 (which supports ECC) and ECC directly.
- Survey your exposure to RSA reliance so you know the scope of the potential problem.
- Turn on elliptical curve ephemeral Diffie-Hellman perfect forward secrecy. (Ephemeral Diffie-Hellman protects private keys used in RSA by not saving parameters that, if compromised, could lead to decrypting RSA traffic.)
The cause for alarm is that in the past six months mathematicians have made two big leaps toward developing algorithms that can break RSA quickly. If that were to happen today, it would leave TLS the encryption that backs most online commerce vulnerable and would render most end-to-end encryption insecure, says Tom Ritter, a security consultant at iSEC partners who helped present the briefing.
"This is a big deal," Ritter says given sudden leaps in encryption-cracking algorithms. "There's been marginal progress for 20 years and in the last six months there's been two jumps."
Because of that progress, more researchers will likely be attracted to working on these faster algorithms, which will result in finding them sooner, he says.
Even if they are found soon, RSA might still limp along for a while but would have to use 16,384-bit keys, up from the currently recommended 2048 bits.
Use of ECC would put BlackBerry in the center of the transition because it owns key patents on the crypto system. Stamos urges the company to issue a universal free license to anyone who wants to use it and to do so before use of ECC becomes a necessity and governments force them to do so.
Fear of BlackBerry suing to protect its patents may be slowing down adoption of ECC, he says, as the company has done in a case against Sony that was settled out of court.
The NSA apparently saw the approaching end of life of RSA when it issued what is known as Suite B standards for encryption in 2005. Suite B doesn't include RSA at all, but calls for ECC in the key exchange algorithm and the digital signature algorithm, Stamos says.