> > is any virtue in generating new DH keys for every transaction
> > other than Perfect Forward Secrecy -- which you could do
> > just as good a job with by refreshing the key every couple
> > hours.
>
> Forward secrecy is exactly the point (that's what the temporary keys
> are for, if we leave aside export ciphers). You're right that it
> shouldn't be necessary to create a fresh key every time we need one,
> but it does not cost a lot;
I'm not sure what you mean by 'doesn't cost a lot'. It essentially
doubles the computation cost, because it requires two modular
exponentiations instead of one.
> and deleting the key from memory as soon
> as possible is a good thing, because you can very well imagine
> situations where an attacker might attack the server physically when
> they think that something interesting happened.
I'm not particularly impressed by this attack. The attacker might
just as well attack the server physically and keep it running
so he can continue to record transactions.
-Ekr
[Eric Rescorla [EMAIL PROTECTED]]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
