Curt Sampson <cjs@cynic.net> writes:
> On Fri, 11 Apr 2003, Tom Lane wrote:
>> I realized this morning that there's probably a security tradeoff
>> involved: renegotiating the session key limits the amount of session
>> data encrypted with any one key, which is good; but each renegotiation
>> requires another use of the server key, increasing the odds that an
>> eavesdropper could break *that* (which'd let him into all sessions not
>> just the one).
> This seems extremely low-risk to me; there's very little data
> transferred using the server key.
Perhaps, but the downside if the server key is broken is much worse
than the loss if any one session key is broken. Also, I don't know
how stylized the key-renegotiation exchange is --- there might be
a substantial known-plaintext risk there.
The fact that sshd thinks it necessary to choose a new server key as
often as once an hour indicates to me that they consider the risks
nonnegligible.
regards, tom lane
