Key lifetime: C2S and S2C
Hal Murray
hmurray at megapathdsl.net
Sat Jan 19 23:42:42 UTC 2019
I asked on the IETF NTP list.
dfoxfranke at gmail.com said:
> On Sat, Jan 19, 2019 at 6:23 AM Hal Murray <hmurray at megapathdsl.net> wrote:
>> Is that number so large for the algorithms we will use that we don't have to
>> consider it? Assume the client is sending 1 packet per second... If the
>> answer is over 100 years, I'm happy.
> The recommendation for AES-SIV is to encrypt no more than 2**48 messages
> under the same key. At one message per second that's almost 9 million years.
> If you (unwisely) use AES-GCM instead, where the recommended limit is 2**32
> messages, that's still 136 years.
------
> Btw, a related concern is the reason why we chose AES-SIV as the MTI cipher.
> A completely stateless server 1) has to resort to random nonces since it
> can't keep track of sequence numbers; 2) can't rate-limit since it can't keep
> track of packet counts. So an adversary can keep replaying the same packet
> and cause it to emit responses at line rate. With AES-SIV, even so it will
> still be a very long time before the server ever collides a nonce, and even
> once it does the consequences are insignificant.
--
These are my opinions. I hate spam.
More information about the devel
mailing list