There have been a few excellent articles on the NSA "breaking encryption", as reported in The Guardian and New York Times. In the talk 2 weeks ago Vint Cerf commented that we should use stronger keys - but as per the articles, key length may not be the issue at all. To summarise there are a few ways encryption can be broken:
- Brute force the keys
- Bugs in the software/hardware implementation
- Bugs in the algorithm
- Interception before encryption (in the case of network encryption specifically)
- Steal the key
For point 1, I think the maths of brute forcing the keys still hold out, we may be close - but I don't think we are there yet. But still, the advice of stronger keys always helps.
For point 2, there have been bugs in encryption libraries before and there are potentially still bugs in these libraries. Both Bruce Shneier and Matthew Green comment on the possibility that there are bugs in the Microsoft crypto library (which is closed source) and even Open SSL. Another possible attack vector, as noted by Ed Felten, is buggy components that make up crypto components, such as bad random number generators - which can then lead to weak keys etc. Faulty hardware (including deliberate backdoors) is also a possibility explored by Ed Felten.
For point 3, in most cases the maths in encryption algorithms seem to be right, and strong. But there have been cases were crypto algorithms have been broken (sometimes after years in operation) and cases where weak algorithms have been submitted for consideration in standards. I think most of the modern algorithms, such as AES are strong - but perhaps there are flaws that just haven't been published.
Point 4 raises an interesting attack vector, which I have seen being carried out by pentesters - basically a proxy service where a network call is intercepted at the initiation of a network session, and then network encryption is easily eavesdropped by the middle party. If the NSA is intercepting huge amount of traffic, it is possible to create such an attack - but automating this in a large scale is surely difficult?
The last point, of stealing keys - or rather forcing companies to hand over their keys under Prism is probably the easiest way for the NSA. There is some commentary on the possibility that the NSA had access to compromised keys at certificate authorities - which would assist this type.
Overall, I don't think there has been fundamental break in cryptography - but there has certainly been weak implementations followed by exploitation by the NSA.