Date: Sat, 19 Apr 2003 11:30:03 -0700 From: Sean Chittenden <sean@chittenden.org> To: Mark Murray <mark@grondar.org> Cc: security@freebsd.org Subject: Re: How often should an encrypted session be rekeyed? Message-ID: <20030419183003.GO79923@perrin.int.nxad.com> In-Reply-To: <20030418205820.GF79923@perrin.int.nxad.com> References: <20030411182758.GN79923@perrin.int.nxad.com> <200304182028.h3IKShQ5008767@grimreaper.grondar.org> <20030418205820.GF79923@perrin.int.nxad.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Using OpenSSL, is there a preferred/recommended rate of rekeying > > > an encrypted stream of data? Does OpenSSL handle this for > > > developers behind the scenes? Does it even need to be rekeyed? > > > > "Depends". I recommend the O'Reilly book on OpenSSL for this and > > related OpenSSL programming docs. > > > > ISBN: 0-596-00270-X > > Thanks, I may have to stop through B&N tonight. I know it depends > on the strength of the cypher, the data transfered, and time between > the last rekeying, but I was wondering on what scale this should > happen. Once an hour? Once every X bytes? Does OpenSSL handle > this for developers? I looked at OpenSSH and mod_ssl and couldn't > find any indication as to how often things are rekeyed beyond > "whenever the client requests it," but looking at client code didn't > tell me much either. Alright, well, I'm skeptical of most O'Reilly books, but I had a most enlightening evening with the OpenSSL book mentioned above. I always took this aspect of crypto for granted and assumed it was always used, but apparently not. The concept/option that I was looking for was ephemeral keying (I'd always called it private rekeying ::shrug::). For those interested, each connection/session the server generates a new private SSL key. In exchange for giving away the SSL connection options (only negative trade off other than higher connection setup overhead), the session uses a unique private key that is changed automatically by the underlying library thus providing forward security in the event that the data from a given session was recorded and the private key was discovered (read: wouldn't be possible to figure out what was transmitted even with the private key). Anyway, ephemeral keying requires the use of Diffie-Hellman's key exchange and that users of this technique (each connection) setup their own SSL_CTX object and set the SSL_OP_SINGLE_DH_USE option: SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); Happy happy joy joy, and now you know. -sc -- Sean Chittenden
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030419183003.GO79923>