On Tue, Jul 11, 2017 at 01:54:40PM -0700, Christian Huitema wrote: > On 7/11/2017 1:31 PM, Stephen Farrell wrote: > > > PS: There are also genuine performance reasons why the same > > DH public might be re-used in some cases, so there would be > > false positives in a survey to consider as well. > > Well, yes. The classic argument is performance. Saving the cost of > exponentiation, computing G^X once for many session instead of once per > session. But you reap most of the benefits of that optimization with a > fairly small number of repetitions. Performance alone is not a good > reason to use the key over extended period, not to share the exact same > key between all servers in a farm. The fact is that wide reuse of the > same (EC)DH private key does compromise the security of TLS -- including > an obvious issue with forward secrecy.
Yes, the cost saturates very rapidly as the number of reuses increases. Even 100 reuses gets one within ~1% of asymptotic limit (half load). > In any case, I just submitted PR #1049 > (https://github.com/tlswg/tls13-spec/pull/1049). I didn't see this document the attack on integerity (full MITM attack) of the connection if attacker has aquired the DH share before the connection. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
