| 6194 | <P> |
| 6195 | <B>Security Considerations</B> |
| 6196 | |
| 6197 | <P> |
| 6198 | All peers use the same |
| 6199 | <B>--tls-crypt</B> |
| 6200 | |
| 6201 | pre-shared group key to authenticate and encrypt control channel messages. To |
| 6202 | ensure that IV collisions remain unlikely, this key should not be used to |
| 6203 | encrypt more than 2^48 client-to-server or 2^48 server-to-client control |
| 6204 | channel messages. A typical initial negotiation is about 10 packets in each |
| 6205 | direction. Assuming both initial negotiation and renegotiations are at most |
| 6206 | 2^16 (65536) packets (to be conservative), and (re)negotiations happen each |
| 6207 | minute for each user (24/7), this limits the tls-crypt key lifetime to 8171 |
| 6208 | years divided by the number of users. So a setup with 1000 users should rotate |
| 6209 | the key at least once each eight years. (And a setup with 8000 users each |
| 6210 | year.) |
| 6211 | <P> |
| 6212 | If IV collisions were to occur, this could result in the security of |
| 6213 | <B>--tls-crypt</B> |
| 6214 | |
| 6215 | degrading to the same security as using |
| 6216 | <B>--tls-auth</B>. |
| 6217 | |
| 6218 | That is, the control channel still benefits from the extra protection against |
| 6219 | active man-in-the-middle-attacks and DoS attacks, but may no longer offer |
| 6220 | extra privacy and post-quantum security on top of what TLS itself offers. |