I wouldn't count on it. The government has much more capability than you can imagine. When I got out of the Navy in 1982 they had more capability then than what you hear on the news today. Knowing what I knew in 1982 I can't even begin to put together the pieces in my mind of what they must have developed with the miniaturization of technology that has come since - and I don't mean radios in olives - I saw those in 1982. I mean billions of processor cores that can execute in hours what the Internet says will take eons to calculate. Think your most powerful video processor packed in densities that 100 such chips are in the space of your video card. Think of 100 of these cards in the space of your smallest desktop. Think of cryogenic cooling that allows those to be packed in millions together yielding billions of chips with thousands of cores per chip. That's just for brute force attacks. But if you apply that same processor power in analyzing algorithms to crack weak points you'd get even faster results.
Actually, the most important part is that the NSA manufacturers their own chips for specific optimized purposes. Most CPUs are designed for a range of activities. A custom designed chip for say, one particular action, will be inherently much faster. Also, using good ol' fashion math, the NSA could have found shortcuts in elliptic-curve crypto. It's actually exceedingly likely. They knew about differential cryptoanalysis long before the academic world did. Linear cryptanalysis, that is finding affine approximations to the action of a cipher, is another.
Each attack may essentially only shave off a couple bits worth of protection. But, those bits are exponential.
So, say a key is 2^56 bits. 72,057,594,037,927,936 different keys. 72 quadrillion keys to brute force.
If an attack shaves off say, 12 bits, you get 70,368,744,177,664. That's only 70 trillion keys. That's 1024 times as easy to crack.
If an attack shaves off say, 16 bits, you get 1,099,511,627,776. That's only 1 trillion keys. Or 65,536 times easier to crack than raw brute forcing. Or rather, you can crack
EFF's DES cracker (Deep Crack) breaks a DES key in 56 hours in 1998. 1999, Deep Crack and distributed.net break a DES key in 22 hours and 15 minutes. 2008, FPGA based COPACOBANA breaks DES in 9 days at $10,000 hardware cost. 2009, it's down to 6.4 days. FPGA is the cheap, semi inefficient way of making your own custom chips for specialized calculations. As I recall, those were near raw brute force with little to minor cryptoanalytic attacks built in to reduce key length. So divide 6.4 days by how good you think NSA math geeks are. Let's be conservative and say they can chop off 12 bits. 552960 / 1024 = 553 seconds per DES message assuming a $10,000 hardware limit, with inefficient hardware.
You might say, "But the NSA has near unlimited black budget!"
It's not unlimited, just very high. I'd know, I ran the mainframe at DISA that clunked their annual financial and budget stuff, an IBM mainframe running zOS with mostly COBOL programs.
And all other things being equal, the more bits your key is, the harder it is to defeat. Chopping 12, 16, maybe 26 bits off DES is amazing cryptoanalysis. Chopping 26 bits off 4096 bit RSA, even a thousand bits? Er. Good luck. Now, it's not all exactly parallel. Crypto geeks don't beat me up too much, I'm trying to keep it very very simplified and giving up some accuracy in the process. But to give an example, AES-256 is quite a bit more secure than the same number of bit crypto using RSA public key encryption. Heck, it's a lot more secure than 4096 bit RSA encryption.
Simple version: Even the best cryptoanalysis, custom hardware and near unlimited black budget, good crypto that is properly implemented and appropriately strong will still protect you from the NSA. That segways neatly into the next subject. That truth is why the NSA sabotages commercial crypto products and does some black bag jobs to endrun crunching numbers by stealing the keys directly. Use open source crypto, and algorithms that need to be widely supported by multiple vendors. BitLocker would be trivial for the NSA to sabotage. TLS would not.
And remember that the NSA led the industry competition to replace DES (which in 1992 was supposed to take billions of years to crack but was completely cracked a few years later) with something better as a civilian encryption algorithm. Of all the best minds in industry who created candidates for AES, it was the NSA that evaluated and chose Reijndal. Not that I have any knowledge that Reijndal is weak but why did this very same NSA choose an algorithm that they couldn't crack and then spend years trying to crack it? Or did they choose one that they either had already cracked or that they saw the best chance to crack?
This is very inaccurate, which I mostly already addressed. NIST ran the competition. DES was never considered more than trivially secure. AES wasn't an industry competition and most algorithms were not corporate or government. NIST chose AES in a very open and transparent manner, so sayeth Bruce Schneier. AES is a modified version of the Rijndael cipher and very secure, so sayeth Bruce Schneier.
Implementations on the other hand... Yea, NOT so secure as the latest NSA papers have told us. The best crypto algorithms in the world doesn't protect you if the manufacturer cripples their own product.
Assume the NSA can crack your encryption. They won't admit it so you won't see that used to trap a child pornographer but you will see, as we saw in other threads, them leaking other tips based on their findings to local LEO but hiding the initial indicator - their cracking codes.
Wrong assumptions, per se. See:
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillanceAs Mr Schneier says, the goal is not to defeat the NSA. That is impossible, as the US govt won't allow it. Your job is just to make them pay for every inch they take from both US citizens and the rest of the world. Think Stalingrad. Street by street. Building by building. The harder each individual person makes it for the NSA, the less damage they can inflict on America.
http://www.theguardian.com/commentisfree/2013/sep/05/government-betrayed-internet-nsa-spyingAgain, now comes the long hard war to fix what the NSA broke. Building an NSA-resistant internet. If successful, we honestly should thank the NSA for their crimes against the US population, because the new internet would prevent worse abuses of power. If unsuccessful, then yea, the US citizenry pretty much screwed. No pressure on the IETF or whatnot.
The NSA is doing to the American citizenry what one would do to an enemy. So, I assume the NSA thinks the citizenry is its enemy.
Last time I visited, they didn't treat me like an enemy. Just blockaded the exits with unmarked white Suburbans with full disco lights going, pulled the slowest high speed pursuit in NSA police history and eventually let me on my way while trailing me for a while.
Completely different.