[5228] in cryptography@c2.net mail archive
Re: Re-key: how often?
daemon@ATHENA.MIT.EDU (Pat Farrell)
Tue Jul 27 10:07:25 1999
Date: Mon, 26 Jul 1999 20:47:07 -0400
To: Andy <amaslar@home.com>, Cryptography List <cryptography@c2.net>
From: Pat Farrell <pfarrell@netcom.com>
Cc: pfarrell@mail.netcom.com
In-Reply-To: <379CB531.59368186@home.com>
At 03:21 PM 7/26/99 -0400, Andy wrote:
> My question is, how often should I generate a new key for each session?
>Is there a rule of thumb concerning how much info. can be sent/received
>before a key is considered "used up"?
The rule of thumb is to re-key before the value of what you are protecting
exceeds the cost of breaking your key. That makes the economics of
breaking the session work in your favor.
For most real world applications, the length of a logon session
which ranges "anywhere from a few minutes to hours" is easily
protected with one 128 bit key.
The EFF machine can break DES-56 in less time than your sessions,
so unless the thing your protecting is pretty cheap, DES-56 is too
weak. DES-40 is too weak for anything.
Hope this helps.
Pat
Pat Farrell CyberCash, Inc. (703) 715-7834
pfarrell@cybercash.com
#include standard.disclaimer
