"Against Rekeying"

[Bill Frantz]

On 3/23/10 at 8:21 AM, perry at piermont.com (Perry E. Metzger) wrote:

> Ekr has an interesting blog post up on the question of whether protocol
> support for periodic rekeying is a good or a bad thing:
> 
> http://www.educatedguesswork.org/2010/03/against_rekeying.html
> 
> I'd be interested in hearing what people think on the topic. I'm a bit
> skeptical of his position, partially because I think we have too little
> experience with real world attacks on cryptographic protocols, but I'm
> fairly open-minded at this point.

Eric didn't mention it in his blog post, but he has been deeply involved
in cleaning up the mess left by a protocol error in in SSLv3 and
subsequent TLS versions. This error was in the portion of the protocols
which supported rekeying and created a vulnerability that affected all
users of those protocols, whether they used the rekeying part or not.

The risks from additional protocol complexity must be balanced with the
benefits of including the additional facility. My own opinion is that in
this case, the benefits didn't justify the risk. The few applications
which desired rekeying could have been designed to build a completely
new TLS connection, avoiding the risk for everyone.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | I like the farmers' market   | Periwinkle
(408)356-8506      | because I can get fruits and | 16345 Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, CA 95032

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com