I think the performance enhancement (in terms of handshakes per second) that you get by reusing ephemeral keys is so great, that we have to assume people will do it. You don’t have to keep the keys indefinitely. It’s fine to generate a new key every second or ten seconds or so.
Which makes running the point validation all the more important. Yoav > On 15 Nov 2016, at 16:16, Watson Ladd <watsonbl...@gmail.com> wrote: > > Hello, > > There has been a lot of chatter on Gitub about point validation. I think it's > important to note that in TLS 1.3 the Triple Handshake variants enabled by > small subgroup attacks are no longer a threat: the issue is reuse of > ephemeral Diffie-Hellman exponents, resulting in compromise of what is > effectively a long-term key. > > I would want a belt and suspenders approach: no use of ephemeral exponents, > and validation that points are on the curve. Order validation is unnecessary > as the cofactor is small: in cases where it is not the curve probably > shouldn't be used without a good reason, and I can't think of any. > > I know one implementation does keep ephemeral exponents indefinitely. This > implementation also validates orders, which equals the expense of not > regenerating ephemeral exponents. > > Sincerely, > Watson > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
