Rekeying C2S and S2C is not necessary

Hal Murray hmurray at megapathdsl.net
Sat Feb 2 21:46:02 UTC 2019


Gary said:
> Really?  So unlimmited numbers of packets with identical C2S, S2S and master
> key, differing only int ehnonce is not a problem?

> Pretty much every crypto algorithm I know of has a recommended maximum number
> of uses.  Allowing these two to be used unlimited times is violating absic
> crypto principles goint back to well before how Enigma, and other ciphers,
> were broken. 

Correct.

But they picked an algorithm with a large recommended max.  If you do the 
math, it's conservatively longer than a client will stay up.

>From mail last night:
----------
The per client-server pair of keys, C2S and S2C don't roll over as long as the 
connection works reasonably well.  I asked about key lifetime on the NTP list 
and Daniel said we don't have to worry about it.
  https://mailarchive.ietf.org/arch/msg/ntp/lV74s2I97P8ncJdjsIKvlcAgEG0

> The recommendation for AES-SIV is to encrypt no more than 2**48
> messages under the same key. At one message per second that's almost 9
> million years. If you (unwisely) use AES-GCM instead, where the
> recommended limit is 2**32 messages, that's still 136 years.
----------

9 million years isn't the heat death of the universe, but it's long enough 
that we don't need to worry about it.

Eric said:
>>> What you almost need is a cookie extension to trigger a rekeying
>>> periodically.
>> Yes.  Sad the Proposed RFC is silent on the subject.  Seems a gaping
>> hole to me.
> Would you please add this to the nts.adoc list of issues we need to bring up
> at the WG meeting. 

No!


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list