Hi, Stephen > > - Wouldn't it be good to encourage minimising re-use of > public values for multiple key exchanges? As-is, the text > sort-of encourages use for "many key exchanges" in > section 4.
I don’t think so. Re-use reduces the computation cost of an IKE Responder (or TLS server) without sacrificing security. There was some discussion of this in CFRG, but I see that it didn’t make it into RFC 7748, so all I can find is some StackExchange question ([1]). It does make the static keypair valuable. It is definitely not a good idea to store the private key on-disk and keep it forever, but generating a new key once in a while and discarding the old key is usually a good compromise there. Anyway key-pair reuse is established practice. Using constant-time implementations is essential to making this practice safe, and the Security Considerations sections says just that. Yoav [1] http://crypto.stackexchange.com/questions/11012/reuse-of-a-dh-ecdh-public-key _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
