After the new revelations every site who's using SSL should be using Perfect Forward Secrecy with it, too. Right now, only a few known companies like Google (only for the search engine probably), DuckDuckGo, and Ixquick/Startpage are using it.<p>Considering NSA is collecting as many keys as possible, let's at least make their job exponentially harder by encrypting every session and every message with a new key with PFS. It's the <i>least</i> these companies can do, if they're serious about their users' privacy.<p>Also, as Bruce is saying - use 3072 bit or even 4096 bit RSA keys (or better alternatives) and AES-256 as soon as possible (hopefully within a year).
The idea that we can break public key encryption and go back to shared secrets doesn't solve the problem for which public key encryption is the answer, namely sharing the secrets. Schneier's piece would be a little more helpful if this were considered. Going back to simple shared secrets means that one cannot securely engage in something like ecommerce, and so breaking public key encryption would totally break the way we use encryption today.
<i>Certainly the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily.</i><p>There are valid and sane reasons to dismiss RSA. Keys are becoming larger and larger for example.<p>What Bruce doesn't say is that the NSA made modifications to DES S-Boxes so that it can RESIST differential cryptanalysis better.<p>But overall I agree, I think the <i>"Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic."</i> is just vulgarization for the people voting budget.<p>It doesn't matter if you break the crypto or the implementation as long as you provide intelligence.
On a different note, considering the popular myth that government by default is incompetent, this is a remarkable degree of competence, surpassing even the private sector.
> I think it extraordinarily unlikely that the NSA has built a quantum computer capable of performing the magnitude of calculation necessary to do this, but it's possible.<p>.<p>I think, that from the very first moment a quantum computer could be built (given an extraordinary amount of resources) NSA set this to their highest priority, and tried to do so, given what this system could provide them, so I am pretty sure that by now they have already some prototype working and growing.<p>Or do you think they're saving money? Or not trying to draw all possible funds to this cause considering how much appeal its computations could exercise for exampe for US foreign economy?
One point that is made more often is: "It's very probable that the NSA has newer techniques that remain undiscovered in academia."<p>How does one go around maintaining such an omerta?<p>Most cryptographic math is not that hard that it requires a team to remember. So anyone working in this field at NSA could (if true) become professor by working out that math in academia after his/her career at NSA. Or is there such strong commitment to secrecy that not one former NSA cryptographer would try to follow that route?