On Sat, Sep 28, 2013 at 7:36 AM, ianG <i...@iang.org> wrote: > ... >>> The key reuse issue isn't related to the choice between time-based and >>> message-based updates. It's caused by keys and IVs in the current design >>> being derived deterministically from the shared secret and the sequence >>> number. If an endpoint crashes and restarts, it may reuse a key and IV with >>> new plaintext. Not good. > > Either the whole session has to be renegotiated then, or you need a way to > inject fresh randomness post-crash. It's not good to rely on counters or > RNGs in those circumstances. Time ? Or VM restarts.
"When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography," www.isoc.org/isoc/conferences/ndss/10/pdf/15.pdf. "When Virtual is Harder than Real: Resource Allocation Challenges in Virtual Machine Based IT Environments," http://static.usenix.org/event/hotos05/final_papers/full_papers/garfinkel/garfinkel.pdf http://lists.randombit.net/pipermail/cryptography/2013-July/004746.html: "mix every entropy source you can get your hands on into your PRNG, including less-than-perfect ones". Jeff _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
