[145177] in cryptography@c2.net mail archive
Re: "Against Rekeying"
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Thu Mar 25 08:41:03 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <87sk7rnjxe.fsf@snark.cb.piermont.com>
Date: Tue, 23 Mar 2010 22:13:20 -0400
Cc: cryptography@metzdowd.com
To: "Perry E. Metzger" <perry@piermont.com>
On Mar 23, 2010, at 11:21 AM, Perry E. Metzger wrote:
>=20
> Ekr has an interesting blog post up on the question of whether =
protocol
> support for periodic rekeying is a good or a bad thing:
>=20
> http://www.educatedguesswork.org/2010/03/against_rekeying.html
>=20
> I'd be interested in hearing what people think on the topic. I'm a bit
> skeptical of his position, partially because I think we have too =
little
> experience with real world attacks on cryptographic protocols, but I'm
> fairly open-minded at this point.
I'm a bit skeptical -- I think that ekr is throwing the baby out with =
the bath water. Nobody expects the Spanish Inquisition, and nobody =
expects linear cryptanalysis, differential cryptanalysis, hypertesseract =
cryptanalysis, etc. A certain degree of skepticism about the strength =
of our ciphers is always a good thing -- no one has ever deployed a =
cipher they think their adversaries can read, but we know that lots of =
adversaries have read lots of "unbreakable" ciphers.
Now -- it is certainly possible to go overboard on this, and I think the =
IETF often has. (Some of the advice given during the design of IPsec =
was quite preposterous; I even thought so then...) But one can =
calculate rekeying intervals based on some fairly simple assumptions =
about the amount of {chosen,known,unknown} plaintex/ciphertext pairs =
needed and the work factor for the attack, multiplied by the probability =
of someone developing an attack of that complexity, and everything =
multiplied by Finagle's Constant. The trick, of course, is to make the =
right assumptions. But as Bruce Schneier is fond of quoting, attacks =
never get worse; they only get better. Given recent research results, =
does anyone want to bet on the lifetime of AES? Sure, the NSA has rated =
it for Top Secret traffic, but I know a fair number of people who no =
longer agree with that judgment. It's safe today -- but will it be safe =
in 20 years? Will my plaintext still be sensitive then?
All of that is beside the point. The real challenge is often to design =
a system -- note, a *system*, not just a protocol -- that can be rekeyed =
*if* the long-term keys are compromised. Once you have that, setting =
the time interval is a much simpler question, and a question that can be =
revisited over time as attacks improve.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
