Facebook still uses encryption keys with 1,024-bit lengths, while the industry standard used by Internet companies — including Apple, Microsoft, Twitter, Dropbox, and MySpace — is 2,048 bits, and that may have enabled the National Security Agency to more easily gain access to its servers, CNET reported.
CNET said Facebook would not comment, but a source familiar with the social network’s plans told CNET an upgrade to 2,048-bit keys will happen soon.
Tel Aviv University Assistant Prof. of Computer Science Eran Tromer told CNET that dedicated devices should be able to break a 1,024-bit key in one year, adding:
(It is now) feasible to build dedicated hardware devices that can break 1,024-bit RSA keys at a cost of under $1 million per device.
Realistically, right now, breaking 1,024-bit RSA should be considered well within reach by leading nations, and marginally safe against other players. This is unsatisfactory as the default security level of the Internet.
According to CNET, the estimated annual budget for the NSA is around $10 billion, so such devices would have been well within its reach.
Capital One and Amazon’s U.K. and Japan sites still use 1,024-bit encryption keys, CNET reported, while Apache.org, Hugedomains.com, Openoffice.org, Phpbb.com, and Shareasale.com have deployed 4,096-bit keys.
Google also uses 1,024-bit keys, but Google Software Engineer Adam Langley told CNET the company implemented forward secrecy in 2011, meaning that different keys are used for each encrypted Web session, rather than one master key for all of them.
Langley added that Google will switch over to 2,048-bit keys by year-end, and he told CNET:
We would have preferred to move sooner, but operating at the scale we do, client compatibility is always an issue. Everything on the planet seems to connect to us.
We would have totally eaten the cost and the speed years ago — if we could have done it without worries.
Readers: Do you think Facebook should upgrade to 2,048-bit encryption keys in light of the uproar over the NSA’s Prism initiative?
Image courtesy of Shutterstock.