You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From several discussions it appears that the importance of key updates is not well understand and the consequences can be fatal. The requirements are in place via numerous indirect links over TLS 1.3 spec and further documents.
Some crypto modes can handle a large number of packets safely while others break down statistically, including AES-GCM.
A solution could be to require key updates no later than after 2^32 packets and require a protocol error shutdown if peer does not rekey in time. While 2^32 may be early in some cases, it is not really a burden, and the alternative might be that implementations skip handling key updates.
From several discussions it appears that the importance of key updates is not well understand and the consequences can be fatal. The requirements are in place via numerous indirect links over TLS 1.3 spec and further documents.
Some crypto modes can handle a large number of packets safely while others break down statistically, including AES-GCM.
A solution could be to require key updates no later than after 2^32 packets and require a protocol error shutdown if peer does not rekey in time. While 2^32 may be early in some cases, it is not really a burden, and the alternative might be that implementations skip handling key updates.
See also discussion here:
#1405 (comment)
The text was updated successfully, but these errors were encountered: