-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 11 Apr 2003, Tom Lane wrote:
> I realized this morning that there's probably a security tradeoff
> involved: renegotiating the session key limits the amount of session
> data encrypted with any one key, which is good; but each
> renegotiation requires another use of the server key, increasing the
> odds that an eavesdropper could break *that* (which'd let him into
> all sessions not just the one).
>
> So a too-short renegotiation interval is not only expensive
> time-wise, but could actually be a net loss for security.
>
> I'm beginning to think we need to consult some experts to find out
> what the right tradeoff is.
Late follow up, but a data point for this:
"Practical Cryptography"[0] p.82 suggests limiting CBC mode to 2^32
128-bit blocks and CTR mode to 2^60 before rekeying because of
information leakage from collisions (they warn against using OFB at
all). That gives us:
2^32 blocks * 2^7 bits/block ---------------------------- = 64GB 2^33 bits/GB
I'd add a fudge factor of a few powers of two in there for chattiness
of protocols and general paranoia and suggest the cap on data
transferred before rekeying should be no higher than 1GB. Pretty big
limit, but that's the only real suggestion I've found so far. This
doesn't address the potential issue of more ciphertext making an
attack on the key easier which could dramatically lower the safe bound.
The book is a relatively quick, entertaining and very clear read on
the topic of actually implementing and using cryptosystems and the
degree of conservatism they show is reassuring.
[0] Niels Ferguson, Bruce Schneier. "Practical Cryptography". Wiley Publishing, Inc., 2003. ISBN 0-471-22357-3
- --
Jonathan Conway rise@knavery.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Made with pgp4pine 1.76
iD8DBQE+pJkPx9v8xy9f0yoRAhuHAJ96e4wYyfL6JYJFbg4qftjFDlMoLwCbBUy6
pFKlJs//AOkVRk+PQztiIFo=
=wJ5/
-----END PGP SIGNATURE-----
