Hi, 3GPP has historically to a large degree used IPsec to protect interfaces in the core and radio access networks. Recently, 3GPP has more and more been specifying use of (D)TLS to replace or complement IPsec. Most 3GPP usage of (D)TLS are long-term connections.
Current best practice for long-term connections is to rerun Ephemeral Diffie-Hellman frequently to limit the impact of a key compromise. For IPsec, ANSSI (France) recommends to rerun Ephemeral Diffie-Hellman every hour and every 100 GB, BSI (Germany) recommend at least every 4 h, and NIST (USA) recommends at least every 8 h. These recommendations are formally for IPsec but makes equal sense for any long-term connection such as (D)TLS. If I understand correctly, the KeyUpdate handshake message only provides Forward Secrecy (compromise of the current key does not compromise old keys). To ensure that compromise of the current key does not compromise future keys (post-compromise security, backward secrecy, future secrecy) my understanding is that one would have to frequently terminate the connection and do resumption with psk_dh_ke. Seems like this would cause a noticeable interruption in the connection, or? Are there any best practice for how to do frequent ephemeral Diffie-Hellman for long-term (D)TLS connections? Seems to me that frequent ephemeral Diffie-Hellman should be the recommendation for any long-term (D)TLS connection as it is for IPsec. Cheers, John _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
