Clarify and strengthen key update requirements #1457
Comments
martinthomson
added
editorial
|
The current design has limits for each cipher suite, that would be inherited from TLS. If we want to reference those requirements, we can do so. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From several discussions it appears that the importance of key updates is not well understand and the consequences can be fatal. The requirements are in place via numerous indirect links over TLS 1.3 spec and further documents.
Some crypto modes can handle a large number of packets safely while others break down statistically, including AES-GCM.
A solution could be to require key updates no later than after 2^32 packets and require a protocol error shutdown if peer does not rekey in time. While 2^32 may be early in some cases, it is not really a burden, and the alternative might be that implementations skip handling key updates.
See also discussion here:
#1405 (comment)
The text was updated successfully, but these errors were encountered: