[tgsovlerkhgsel]

If RSA-2048 is practically broken or breakable:

The public web and code signing PKIs collapse overnight. Most certificate authorities use RSA-2048 either for the roots or intermediates. The HN site not only uses a RSA-2048 key in its own certificate, the CA issuing that certificate and the root CA issuing the intermediate also do.

All data transmitted without forward secrecy on most web sites is compromised. Most websites nowadays use forward secrecy and/or ECDSA, but data sent years ago may still be of value (e.g. passwords) and become decryptable now.

Any data (e.g. backups, past e-mails) encrypted using RSA keys is at risk.

Any authentication system relying on RSA keys has a problem. This can include systems like smartcards or HSMs that are hard to update, software or firmware updates, etc. Banking too.

Edit to add - if RSA-1024 is practically breakable but RSA-2048 is not: some systems that relied on RSA-1024 have a problem. These should be rare, but sometimes legacy doesn't get updated until it becomes an absolute emergency. Everyone realizes that RSA-2048 is only a matter of time, that time is running out quicker than expected, and starts upgrading to ECDSA with more urgency. This will likely take a long time due to legacy hardware.

[bigiain]

Surely I'm not the only one who read this and thought "I wonder how long the NSA have known this result, and how much better their internal attacks are than public academic results? I wonder how much of their 'full take' internet backbone archive has been decrypted and keyword mined?"

[secfirstmd]

There was a quote in a newspaper I unfortunately forget the location of about four years ago about a massive break through in encryption by the NSA post Snowden. Enough subtle hints about it. My working assumption had been it was RSA related. I noticed for example some interesting organisations changed their guidelines about its usage in past three years or so.

[tgsovlerkhgsel]

If it is what I think it is, then it's commonly believed that they broke commonly used Diffie-Hellman parameters, allowing them to break any connection encrypted using those.

The parameters can, in theory, be safely used by everyone, and generating them is relatively expensive. But because a few of these parameters were extremely widely used, and they were only 1024 bits strong, it is believed that a gargantuan effort to break them was worth it and the NSA did it.

[drzoltar]

Which organizations changed their guidelines?

[gowld]

This has been speculated since logjam was discovered.

[upofadown]

>All data transmitted without forward secrecy on most web sites is compromised.

Forward secrecy does not protect against broken cryptography, so this is more about what methods were used and how much an new technique like this affects them.

[lokedhs]

True, but it does protect against broken RSA. Because RSA is a not used to encrypt the actual data. That's probably using AES.

[upofadown]

If you break RSA then you get the AES session key. You don't have to break the AES.

[tialaramex]

Nope. Whilst that's how TLS_RSA_WITH_AES_128_CBC_SHA works, this not how Forward Secrecy enabled suites like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 work. Most sites (and certainly any sites that think they're "secure") thus are not affected in this way.

In TLS 1.3 all suites (such as TLS_AES_128_GCM_SHA256) have forward secrecy so it isn't even explicitly called out.

In these modern modes (and in other modern protocols like SSH) the two peers agree random ephemeral keys (these days with Elliptic Curve Diffie Hellman) and long term private keys are only used to sign things to prove who you're talking to over the resulting securely encrypted connection.

So if you break RSA you can forge those signatures but you can't decrypt messages sent to and from the legitimate owner of the keys, those were, as your parent explained, secured with AES and not RSA. You would need to perform a live active attack, a MitM to interpose between the real server and its clients so as to decrypt all messages in transit.

[jojobas]

The point of forward secrecy is that past key are not recoverable from future communications. You need to store the whole communication history to have any chance.

[upofadown]

Unless you break the encryption. Then you get the past keys.

Forward secrecy only protects against the exposure of private key material. It does not protect against broken cryptography as it depends on the cryptography to keep old messages private. That's because it works by forgetting the session keys. If you can derive those session keys again then it is of no value.

[jojobas]

Nope. A session key is normally not created by one party and sent to another, it's generated by something like Diffie-Hellman in which the long-living RSA keys are only used for authenticity verification. Diffie-Hellman requires discrete logarithms rather than factorization (and then there are more modern methods).

[gowld]

You always have to obtain the communication you want to decrypt; that's not the interesting part of the problem.

The interesting part is using a weakness in one part to help decrypt a different part.

[the8472]

Also any proprietary/ancient SSH implementation only supporting RSA that you'll find in all kinds of boxes.

[mekster]

Are alternatives already available that needs to be swapped to be durable again?