On Mar 23, 2010, at 11:21 AM, Perry E. Metzger wrote:
>
> Ekr has an interesting blog post up on the question of whether protocol
> support for periodic rekeying is a good or a bad thing:
>
> http://www.educatedguesswork.org/2010/03/against_rekeying.html
>
> I'd be interested in hearing what people think on the topic. I'm a bit
> skeptical of his position, partially because I think we have too little
> experience with real world attacks on cryptographic protocols, but I'm
> fairly open-minded at this point.
I'm a bit skeptical -- I think that ekr is throwing the baby out with the bath
water. Nobody expects the Spanish Inquisition, and nobody expects linear
cryptanalysis, differential cryptanalysis, hypertesseract cryptanalysis, etc.
A certain degree of skepticism about the strength of our ciphers is always a
good thing -- no one has ever deployed a cipher they think their adversaries
can read, but we know that lots of adversaries have read lots of "unbreakable"
ciphers.
Now -- it is certainly possible to go overboard on this, and I think the IETF
often has. (Some of the advice given during the design of IPsec was quite
preposterous; I even thought so then...) But one can calculate rekeying
intervals based on some fairly simple assumptions about the amount of
{chosen,known,unknown} plaintex/ciphertext pairs needed and the work factor for
the attack, multiplied by the probability of someone developing an attack of
that complexity, and everything multiplied by Finagle's Constant. The trick,
of course, is to make the right assumptions. But as Bruce Schneier is fond of
quoting, attacks never get worse; they only get better. Given recent research
results, does anyone want to bet on the lifetime of AES? Sure, the NSA has
rated it for Top Secret traffic, but I know a fair number of people who no
longer agree with that judgment. It's safe today -- but will it be safe in 20
years? Will my plaintext still be sensitive then?
All of that is beside the point. The real challenge is often to design a
system -- note, a *system*, not just a protocol -- that can be rekeyed *if* the
long-term keys are compromised. Once you have that, setting the time interval
is a much simpler question, and a question that can be revisited over time as
attacks improve.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]
