Ever since the Snowden leaks, there’s been considerable speculation about what cryptography the NSA could break, and why. Finally, there’s a study that goes into deep detail about what it is the NSA probably can break, and why, plus how to protect against it.
The takeaway is all the way at the bottom, but the real key is to remember two numbers: 1024 and 2048. It’s no longer safe to use 1024-bit primes in your RSA keys and elsewhere. Bump all of your asymmetric key lengths up to 2048, and you’re resistant to nation-state attacks.
It’s also important to stop using obsolete cryptography. SHA1 and RC4 are no longer safe to use. Use SHA256 and AES. Counterintuitively, AES128 is probably safer for the moment in SSL than AES256, but that’s going to be only a temporary thing. SSL as a whole is no longer safe to use–use TLS, and ideally, use TLS 1.2. When encrypting hard drives or individual files, use 256-bit AES.
It’s important to keep in mind that the NSA isn’t the only one with this capability. If the NSA can break 1024-bit primes, it’s likely the equivalent Russian and Chinese agencies can as well. Or they’ll be able to very soon.