| | 6194 | <P> |
| | 6195 | <B>Security Considerations</B> |
| | 6196 | |
| | 6197 | <P> |
| | 6198 | All peers use the same |
| | 6199 | <B>--tls-crypt</B> |
| | 6200 | |
| | 6201 | pre-shared group key to authenticate and encrypt control channel messages. To |
| | 6202 | ensure that IV collisions remain unlikely, this key should not be used to |
| | 6203 | encrypt more than 2^48 client-to-server or 2^48 server-to-client control |
| | 6204 | channel messages. A typical initial negotiation is about 10 packets in each |
| | 6205 | direction. Assuming both initial negotiation and renegotiations are at most |
| | 6206 | 2^16 (65536) packets (to be conservative), and (re)negotiations happen each |
| | 6207 | minute for each user (24/7), this limits the tls-crypt key lifetime to 8171 |
| | 6208 | years divided by the number of users. So a setup with 1000 users should rotate |
| | 6209 | the key at least once each eight years. (And a setup with 8000 users each |
| | 6210 | year.) |
| | 6211 | <P> |
| | 6212 | If IV collisions were to occur, this could result in the security of |
| | 6213 | <B>--tls-crypt</B> |
| | 6214 | |
| | 6215 | degrading to the same security as using |
| | 6216 | <B>--tls-auth</B>. |
| | 6217 | |
| | 6218 | That is, the control channel still benefits from the extra protection against |
| | 6219 | active man-in-the-middle-attacks and DoS attacks, but may no longer offer |
| | 6220 | extra privacy and post-quantum security on top of what TLS itself offers. |
