"Against Rekeying"

Steven Bellovin smb at cs.columbia.edu
Tue Mar 23 22:13:20 EDT 2010

On Mar 23, 2010, at 11:21 AM, Perry E. Metzger wrote:

> Ekr has an interesting blog post up on the question of whether protocol
> support for periodic rekeying is a good or a bad thing:
> http://www.educatedguesswork.org/2010/03/against_rekeying.html
> I'd be interested in hearing what people think on the topic. I'm a bit
> skeptical of his position, partially because I think we have too little
> experience with real world attacks on cryptographic protocols, but I'm
> fairly open-minded at this point.

I'm a bit skeptical -- I think that ekr is throwing the baby out with the bath water.  Nobody expects the Spanish Inquisition, and nobody expects linear cryptanalysis, differential cryptanalysis, hypertesseract cryptanalysis, etc.  A certain degree of skepticism about the strength of our ciphers is always a good thing -- no one has ever deployed a cipher they think their adversaries can read, but we know that lots of adversaries have read lots of "unbreakable" ciphers.

Now -- it is certainly possible to go overboard on this, and I think the IETF often has.  (Some of the advice given during the design of IPsec was quite preposterous; I even thought so then...)  But one can calculate rekeying intervals based on some fairly simple assumptions about the amount of {chosen,known,unknown} plaintex/ciphertext pairs needed and the work factor for the attack, multiplied by the probability of someone developing an attack of that complexity, and everything multiplied by Finagle's Constant.  The trick, of course, is to make the right assumptions.  But as Bruce Schneier is fond of quoting, attacks never get worse; they only get better.  Given recent research results, does anyone want to bet on the lifetime of AES?  Sure, the NSA has rated it for Top Secret traffic, but I know a fair number of people who no longer agree with that judgment.  It's safe today -- but will it be safe in 20 years?  Will my plaintext still be sensitive then?

All of that is beside the point.  The real challenge is often to design a system -- note, a *system*, not just a protocol -- that can be rekeyed *if* the long-term keys are compromised.  Once you have that, setting the time interval is a much simpler question, and a question that can be revisited over time as attacks improve.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list