Ask HN: What encryption algorithms should we take as compromised?

&quot;SSH2-RSA&quot; isn&#x27;t an encryption algorithm. It&#x27;s a description of the SSH protocol using RSA authentication.<p>It is easier to provide the list of things that are worth worrying about than it is to list the things that are safe. There are a <i>lot</i> of as-yet unbroken ciphers and constructions. So, here are the things to avoid:<p>* Block ciphers in the default mode (&quot;ECB&quot;).<p>* The Dual_EC random number generator, which virtually nobody uses anyways. You weren&#x27;t going to accidentally end up using it. Or, for that matter, any other PKRNG (random numbers produced by public key algorithms).<p>* RSA with 1024 bit moduli (or below); RSA-2048 is your starting point. Conventional DH at similar key sizes will be an issue too, but there&#x27;s a &quot;means&#x2F;motive&#x2F;opportunity&quot; issue for RSA-1024 given its prevalence.<p>* MD4, MD5, and SHA1 aren&#x27;t backdoored, but are broken or weak. But: all three are survivable in HMAC (don&#x27;t use them, though). SHA2 is your best all-around hashing bet right now.<p>* The NIST P- curves. There&#x27;s no evidence to suggest they&#x27;re backdoored, but (a) the rationale behind their generation is questionable and (b) they have other annoying properties.<p>So far as I can tell, you are now fully briefed on the &quot;distrusted&quot; crypto.<p>Don&#x27;t build your own crypto. Use PGP for data at rest, TLS for data in motion, and NaCl for the rare in-between cases.

No ssh2-rsa is not known to be broken, although it&#x27;s suspected that the NSA can factor some small (&lt;=1024 bits) RSA keys if they really want to.<p>It&#x27;s believed that any elliptic curve algorithm that doesn&#x27;t have a transparent process for choosing the curve points may have been backdoored by the NSA choosing points that they already knew how to factor. If you use those curves, then you&#x27;re revealing your secrets to the NSA but not to anyone else, because the discrete log problem is still (mostly) just as hard as it ever was.<p>Specifically, the elliptic curve random number generator in NIST SP 800-90A is believed to have been backdoored by the NSA. For obvious reasons no one has any hard proof, just very strong circumstantial evidence.<p>You can continue to use SSH2-RSA with decent size (2048 bit as a minimum) keys &amp; AES. Those are not believed to be breakable at the current time, although as ever you can never have absolute certainty in these matters!

Both Snowden and Schneier said something to the effect of &quot;trust the math.&quot; [1,2] Additionally the leaked Tor presentation [3] seems to indicate, that the NSA can not break the primitives used in Tor. So the algorithms that were considered secure before the Snowden leaks seem to be secure. ( But this is purely a statement about algorithms, you still need to use a well studied and tested implementation of these.)<p>[1] Schneier: <a href="http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance" rel="nofollow">http:&#x2F;&#x2F;www.theguardian.com&#x2F;world&#x2F;2013&#x2F;sep&#x2F;05&#x2F;nsa-how-to-rema...</a><p>[2] Snowden: <a href="http://www.theregister.co.uk/2014/03/10/snowden_a_few_good_developers_could_save_america/" rel="nofollow">http:&#x2F;&#x2F;www.theregister.co.uk&#x2F;2014&#x2F;03&#x2F;10&#x2F;snowden_a_few_good_d...</a><p>[3] <a href="http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document" rel="nofollow">http:&#x2F;&#x2F;www.theguardian.com&#x2F;world&#x2F;interactive&#x2F;2013&#x2F;oct&#x2F;04&#x2F;tor...</a>

In general you should prefer crypto constructions which are a result of global competitions. For example AES and SHA3.<p>You should avoid at all costs anything that has been standardized by NIST without going through years of reviews by international cryptographers. Dual_EC_DRBG is a clear example of crypto construction which falls into this category.<p>This is my general rule of thumb.<p>However knowing which ciphers one should use is not enough! You absolutely need to know HOW to use them. A basic and superficial example is AES in ECB mode, which is semantically secure as long as you use a key to encrypt one and only one single block. Another one is, for example, after how many encrypted blocks a key should be rotated, based on the underlying cipher used.<p>Once you have learnt how to use the basic building blocks of crypto you are then NOT supposed to write your own implementation and instead use existing ones....there is a small problem with this....they are broken or they either not implement all the necessary crypto constructions you need. OpenSSL is an example of broken crypto implementation, and instead NaCl does not have TLS implemented.<p>So this is a short summary and my personal opinion of why crypto is hard. On top of all this there are not enough experts out there which have the time to review crypto implementations or new and old constructions, and we are living a historical period where we desperately need crypto to protect our privacy.<p>So my final suggestions is to take some of your spare time and go through Dan Boneh Crypto 1 at Coursera: <a href="https://www.coursera.org/course/crypto" rel="nofollow">https:&#x2F;&#x2F;www.coursera.org&#x2F;course&#x2F;crypto</a><p>It is worth every single minute.<p>Once you have done that, I would also suggest you to take the Matasano Crypto challenges: <a href="http://www.matasano.com/articles/crypto-challenges/" rel="nofollow">http:&#x2F;&#x2F;www.matasano.com&#x2F;articles&#x2F;crypto-challenges&#x2F;</a><p>Finally I want to thank everybody who have taken their time to create and maintain both Crypto 1 course and the Matasano challenges.

If you&#x27;re wondering what <i>isn&#x27;t</i> compromised, the information here has withstood the test of time and scrutiny from the crypto community: <a href="http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html" rel="nofollow">http:&#x2F;&#x2F;www.daemonology.net&#x2F;blog&#x2F;2009-06-11-cryptographic-rig...</a><p>Barring some major advance in breaking crypto (which is entirely possible) it will probably stand for a long time to come.

This question only makes sense if you give the threat-model to consider.<p>Is it only classical cryptanalysis on the cryptographic algorithm? Or do you take into account the programming mistakes (not necessarily related to crypto) of specific implementations? Or do you allow side-channel or fault-injection attacks, which will be able to break most algorithms, if they are not implemented with specific countermeasures?<p>In anyway, it is a very difficult question which doesn&#x27;t have a single definite answer.

For an n-bit RSA key &quot;The absolute minimum size for n is 2048 bits or so if you want to protect your data for 20 years. [...] If you can afford it in your application, let n be 4096 bits long, or as close to this size as you can get it.&quot;<p><a href="http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml" rel="nofollow">http:&#x2F;&#x2F;www.javamex.com&#x2F;tutorials&#x2F;cryptography&#x2F;rsa_key_length...</a>

Ciphers to avoid DSS, MD5&#x2F;RC4, SHA-1.<p>Ciphers to prefer ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256<p>A pretty good source&#x2F;guide:<p><a href="https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/" rel="nofollow">https:&#x2F;&#x2F;hynek.me&#x2F;articles&#x2F;hardening-your-web-servers-ssl-cip...</a><p>You&#x27;ll need apache 2.4+[I think], or nginx. And possibly fresh certs to use DHE&#x2F;EC.<p>A quick rundown of a fairly secure setup:<p>Cipher Priority list:<p>ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:!RSA+3DES:!aNULL:!MD5:!DSS:!SHA:AEAD<p>==========================================================<p>Generate the cert and private key:<p>openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:4096 -keyout serverkey.pem -out servercert.pem<p>==========================================================<p>Generate the DH parameters:<p>openssl dhparam -out dh2048.pem -outform PEM -2 2048<p>==========================================================<p>How to List Elliptic Curves:<p>openssl ecparam -list_curves<p>===========================================================<p>Note: Generating DH parameters is gonna take a while. If you are implementing this on a slowish machine like a Raspberry Pi, you might want to use a faster machine to do the DH step, then copy file the key over.

For ECC djb and Tanja Lange have put together a great list of how possible it was to tamper with each of the ECC primitives listed: <a href="http://safecurves.cr.yp.to/rigid.html" rel="nofollow">http:&#x2F;&#x2F;safecurves.cr.yp.to&#x2F;rigid.html</a>

It&#x27;s not just about compromised encryption algorithms, it&#x27;s also about picking the right algorithm for a given purpose.<p>For instance, an hashing algorithm can be used to securely store passwords, and must therefore be slow, or to find duplicate files, a task which greatly benefits from speed. If you use a fast hashing algorithm to &quot;securely&quot; store passwords you might as well use a compromised algorithm since the security is nonexistent in both cases.<p>I think the same applies to crypto algorithms: it doesn&#x27;t matter if the building blocks are individually secure if you don&#x27;t know how to put them together in a secure fashion.

SHA256, SHA3, AES, ECDSA and ECDH&#x2F;ECIES are all good, plus one-time pads and Shamir&#x27;s secret sharing. There&#x27;s no real need to use anything else.

All.<p>All encryption is breakable. You aren&#x27;t choosing an unpickable lock, you are picking how good of a thief it will take to rob you.<p>A 4096 bit encryption might make it really expensive to attack you, but those old numbers about &quot;it would take a computer 40,000 years to crack&quot; don&#x27;t matter much in a world where that just means you spin up 160k instances in the cloud for 3 months.<p>That&#x27;s a Dollar amount that makes cracking YOUR bank account not worth doing. But if it were the Nuclear launch codes for Russia&#x27;s arsenal it would not be undoable.

I&#x27;m of the opinion that trusting any of them at this point could disappoint.

Can we really trust any of the algorithms from the NSA Suite B?