On 13/10/16 13:27, Yoav Nir wrote:
> Hi, Stephen
>> - Wouldn't it be good to encourage minimising re-use of public
>> values for multiple key exchanges? As-is, the text sort-of
>> encourages use for "many key exchanges" in section 4.
> I don’t think so. 

Fair enough, though when I said "minimise" I didn't mean
"never re-use." But all you say below is correct, so not
that big a deal, but I do think it'd be better to explicitly
encourage implementers to roll their private values as
often as makes sense in their situation.


> Re-use reduces the computation cost of an IKE
> Responder (or TLS server) without sacrificing security.  There was
> some discussion of this in CFRG, but I see that it didn’t make it
> into RFC 7748, so all I can find is some StackExchange question
> ([1]).
> It does make the static keypair valuable. It is definitely not a good
> idea to store the private key on-disk and keep it forever, but
> generating a new key once in a while and discarding the old key is
> usually a good compromise there.
> Anyway key-pair reuse is established practice. Using constant-time
> implementations is essential to making this practice safe, and the
> Security Considerations sections says just that.
> Yoav
> [1]
> http://crypto.stackexchange.com/questions/11012/reuse-of-a-dh-ecdh-public-key

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

IPsec mailing list

Reply via email to