|August 30th, 2013|
With the recent increased interest in internet surveillance, people sometimes say things like "the NSA is snooping on everything, even encrypted traffic". Could they really do that? How hard would it be?
No one has good stats on total internet traffic but Wikipedia publishes their numbers and we can use that to estimate. They get 12.7B monthly global pageviews or 4.9K pageviews per second. Alexa estimates that Wikipedia has 5,629 pageviews per million, which is another way of saying they're 0.5629% of all traffic. These give total pageviews per second for the internet as a whole at around 1 million. 
(Note: all the numbers in this post are very rough. In talking about practicality of breaking cryptography we often care about orders of magnitude of orders of magnitude.)
I can't find any stats on what fraction of these are encrypted, but let's say 1 in 50 (2%). That's 20K encrypted pages per second. What kind of hardware would you need to keep up with that?
Imagine we were all still using DES to encrypt everything. While there are some theoretical attacks faster than brute force, in practice people just try all the combinations. The key length is 56 bits, so there are only 256 keys to try. This is low enough to be practical now: you can pay cloudcracker to do this in about a day. They're using specialized hardware and on average need 12 hours to crack a DES key.
At 12 hourse per key on one machine to crack the 20K/s of https traffic as it comes in you'd need about a 0.9 billion of them. Maybe they cost $1K each in those quantities, so this is about $1T for just the machines. Electricity to run and cool them would also be enormous, but $1T is already more than ten times the entire intelligence budget.
But the NSA would have custom hardware, right? Those machines are using powerful FPGAs, 48 per box with 40 cores each, but in those volumes you want to go with custom chips. Even if you can get them down to $1 for a 40 core chip you still need 40 billion of them, along with all the supporting hardware and infrastructure.
Remember, though, that all of this is about cracking DES while the weakest encryption people are using for SSL is 128 bit AES. With keys this long brute force is beyond impractical.  There might be flaws in AES, but they would need to bring it from a complexity of 2128 down to 256 before they were in the range of DES, and that would be an incredible cryptographic achievement. 
Unless the NSA has production-quality quantum computers or has solved AES to where it's trivial to break, both of which are very unlikely, they're not decrypting https traffic at scale.
 Methodology from here.
 The Landauer limit is the "minimum possible amount of energy required to change one bit of information," and is 2.89e-21 joules. Trying 2128 keys requires at least that many bit flips, so 9.8e17 joules. That's 278 terawatt hours, which is about 1000 large power plants operating for a year. And testing a key would require many bit flips, not just one.
 The best public attack (pdf) gets the complexity down to 2126.1.
- The Unintuitive Power Laws of Giving
- How Bad Is Dairy?
- Instrument Complexity and Automation
- Giving Up On Privacy
- Reading about guns