[Cryptography] Crypto best practices

[Thierry Moreau]

On 10/03/17 08:42 PM, Jerry Leichter wrote:
>> Another interesting recommendation: "Tools should perform key exchange exactly once per connection. Many algorithms have weaknesses during key exchange and the volume of data expected during a given connection does not meet the threshold where a re-key is required.xiii To reiterate, re-keying is not recommended.” Footnote xiii adds "The exact nature of which algorithms are weak at this stage is highly classified....
> The only thing this brings immediately to mind is related key attacks.  Though if your re-keying mechanism allows related-key attacks you have other problems.
>
> Anyone have any insight into just what they're referring to?  It could be extremely significant, given that forward security relies on very frequent re-keying.
>

No insight from my part, just a guess.

NSA has to maintain some advance in protocol vulnerability exploits 
(over academia) and the protocol negotiation downgrade in active (MITM) 
attacks is certainly among their main sources of inspiration.

(NSA role is to prepare for the crypto warfare in WWIII ...)

What the above CIA document says is that NSA would indeed have had some 
advance over academia when the document was prepared, in at least one 
standardized connection re-keying sub-protocol.

However, the wording does not apply to Diffie-Hellman as such (basically 
*the* mechanism that supports forward secrecy) since D-H is used in the 
initial key exchange (that NSA knows discrete log algorithms in advance 
of academia is a separate question).

Regards,

- Thierry