> - Wouldn't it be good to encourage minimising re-use of
> public values for multiple key exchanges? As-is, the text
> sort-of encourages use for "many key exchanges" in
> section 4.
I don’t think so. Re-use reduces the computation cost of an IKE Responder (or
TLS server) without sacrificing security. There was some discussion of this in
CFRG, but I see that it didn’t make it into RFC 7748, so all I can find is some
StackExchange question ().
It does make the static keypair valuable. It is definitely not a good idea to
store the private key on-disk and keep it forever, but generating a new key
once in a while and discarding the old key is usually a good compromise there.
Anyway key-pair reuse is established practice. Using constant-time
implementations is essential to making this practice safe, and the Security
Considerations sections says just that.
IPsec mailing list