Yo Hal! On Sat, 02 Feb 2019 02:33:56 -0800 Hal Murray via devel <devel@ntpsec.org> wrote:
> The per client-server pair of keys, C2S and S2C don't roll over as > long as the connection works reasonably well. I asked about key > lifetime on the NTP list and Daniel said we don't have to worry about > it. > https://mailarchive.ietf.org/arch/msg/ntp/lV74s2I97P8ncJdjsIKvlcAgEG0 The Germans thought that with Enigma. The japanese thought that with Purple. Both were proven wrong. Daniel makes bad assumptions about how many tries a second can be made. > > The recommendation for AES-SIV is to encrypt no more than 2**48 > > messages under the same key. At one message per second that's > > almost 9 million years. If you (unwisely) use AES-GCM instead, > > where the recommended limit is 2**32 messages, that's still 136 > > years. Nothing says that a single cookie could not be used by a farm of clients to push the cookies per second into the thousands. Then add that this is millions of know plaintext and known ciphertext pairs That is not what the key reuse calculations assume. Yes, not a simple thing, but possible for a nation state. So whatever a conservative key reuse limit is, it should be enforced. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpfiTifNMhIw.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
