"Against Rekeying"

Perry E. Metzger perry at piermont.com
Fri Mar 26 10:22:06 EDT 2010


Peter Gutmann has been having some trouble with his email and asked me
to manually forward this to the list. If you reply, don't credit me with
the text, it is his.

>From pgut001 Thu Mar 25 17:29:06 2010
To: frantz at pwpconsult.com, perry at piermont.com
Subject: Re: "Against Rekeying"
Cc: cryptography at metzdowd.com

Bill Frantz <frantz at pwpconsult.com> writes:

>Eric didn't mention it in his blog post, but he has been deeply involved in
>cleaning up the mess left by a protocol error in in SSLv3 and subsequent TLS
>versions. This error was in the portion of the protocols which supported
>rekeying and created a vulnerability that affected all users of those
>protocols, whether they used the rekeying part or not.

I missed that in his blog post as well.  An equally big one is the SSHv2
rekeying fiasco, where for a long time an attempt to rekey across two
different implementations typically meant "drop the connection", and it still
does for the dozens(?) of SSH implementations outside the mainstream of
OpenSSH, Putty, ssh.com and a few others, because the procedure is so complex
and ambiguous that only a few implementations get it right (at one point the
ssh.com and OpenSSH implementations would detect each other and turn off
rekeying because of this, for example).  Unfortunately in SSH you're not even
allowed to ignore rekey requests like you can in TLS, so you're damned if you
do and damned if you don't [0].

A more general concern though is that the large amount of extra complexity
caused by the rekeying (you're juggling a renegotiate of a new set of security
parameters while simultaneously applying the current set of security
parameters) provides a very large amount of attack surface - and in SSH's case
failure modes - that just isn't justified by the hypothetical threats that
rekeying is meant to address.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list