On Wed, Feb 28, 2001 at 10:53:57AM +0530, SRIDHAR BANDI wrote:
> Greetings ,
>
> This is my first time I am hitting this mailing list.
>
> When a client and server establishes a connection between them,
> They agree upon one symmetric key which they will use for
> transmitting the messages securely .
> But if that session stays for a very long time then that
> symmetric key they use can be broken and hacked.
Wrong presumptions, I think.
Presume that EVE can snoop all of the encrypted traffic.
Presume also that she is very determined to break into your data.
If the symmetric key cipher isn't strong enough to resist attack over
presumably valid lifetime of the protected data, the cipher in use is
not good.
That is, the problem might not be the 40 bit encryption which anybody
breaks in between keystrokes, but that the 128 bit cipher isn't safe
for foreseeable 3-10 years.
For example if you authenticate something via userid+password pair inside
the cipher protected transport, should you not change your password
regularly to make sure that determined attacker gains no FUTURE access
to your data ? (Similarly if you use user certificates, those must be
renewed frequently enough with short enough lifetimes.)
(Everything above is parotted from Bruce Schneier's Applied Cryptography.)
> Is there any mechanism by which we can set the
> lifetime of that symmetric key?
> Thanks in advance.
> thanks and regards,
> bandi
/Matti Aarnio - who needs to remind himself and his collegues about
these lifetime issues over and over again..
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
