Hi, Stephen

> - Wouldn't it be good to encourage minimising re-use of
> public values for multiple key exchanges? As-is, the text
> sort-of encourages use for "many key exchanges" in
> section 4.

I don’t think so. Re-use reduces the computation cost of an IKE Responder (or 
TLS server) without sacrificing security.  There was some discussion of this in 
CFRG, but I see that it didn’t make it into RFC 7748, so all I can find is some 
StackExchange question ([1]).

It does make the static keypair valuable. It is definitely not a good idea to 
store the private key on-disk and keep it forever, but generating a new key 
once in a while and discarding the old key is usually a good compromise there.

Anyway key-pair reuse is established practice. Using constant-time 
implementations is essential to making this practice safe, and the Security 
Considerations sections says just that.


IPsec mailing list

Reply via email to