On Mon, Dec 28, 2015 at 08:51:01PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > When too much plaintext has been encrypted with the same key, the > key needs to be changed. When the key is changed, the change > procedure should involve new randomness. > > What's the confusion here???
OTOH, you can't drop an attacker knowing older key without doing new key exchange. Introducing new randomness would complicate the rekeying _greatly_ as now you need to handle synchronization (which also causes nasty problems at application layer). So one wouldn't want to do that without really good reason. Breaking the symmetry between rekeyings (including the rekey counter in key derivation) might be feasible tho. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
