[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: WG Last Call for SKIP I-D
-----BEGIN PGP SIGNED MESSAGE-----
content-type: text/plain; charset=us-ascii
While key lifetimes of a week or two may technically qualify as
"perfect forward secrecy", I for one want *much* shorter lifetimes,
more on the order of minutes to perhaps an hour, max.
Hmm. Given the current CPU cost of exponential key exchange, I
suspect some installations will want somewhat longer lifetimes than 1
hour (though probably not ones as long as Ashar's "2 weeks").
Assuming that the modular exponentiation involved in the DH exchange
takes 1 CPU second, a system in regular communication with 1000 other
systems would then wind up spending just under 30% of its time doing
modular exponentiations.
Server fanout like this isn't as improbable as it might sound.. a
couple of AFS file servers at MIT I just checked have ~650 active
clients at the moment.
This brings up another point (and some suggested text for the photuris I-D):
If a number of communicating systems use similar SPI and/or exchange
lifetimes, their photuris exchanges will likely tend to cluster, which may
result in periodic CPU load spikes or other erratic
behavior.
To avoid this, implementations should add a significant amount of
random jitter to the exchange and SPI lifetimes to avoid
synchronization of this form. The exact amount of jitter needed
will need to be determined experimentally once photuris is deployed.
- Bill
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBML4+0Fpj/0M1dMJ/AQHcugP7Bl4SQnysw2+NopY2H01vvMqv0SClD3Qr
xQbuwwnjMORyqKWsnRECAufRZxXO5tnjerDO+6/ru/8JVhpRfArdkgamtnrUVUf8
gqViHNKVrOwIdJ6y5E4DZ9iwhxi7++hdRHBgaokVL4VRtZ1bUyqZvOTvWNK8oATe
gX0x32rlkDE=
=EqeE
-----END PGP SIGNATURE-----
References: