Results 1 to 7 of 7

Thread: Automatically rolling security keys?

  1. #1
    Join Date
    Jun 2008
    Beans
    93

    Automatically rolling security keys?

    I am building a chat application (for fun and learning) and I was wondering how useful is it to regenerate RSA/AES/etc. security keys automatically during runtime? I'm envisioning something where a new RSA/AES key is generated for both clients and server(s) at arbitrary intervals (every hour or whatnot, assuming the conversation lasts that long). If it is not useful, why not? Are there similar solutions that would be better?

  2. #2
    Join Date
    Mar 2007
    Beans
    776

    Re: Automatically rolling security keys?

    Why?
    Registered Linux User: 450747 Registered Ubuntu User: 16269

  3. #3
    Join Date
    Feb 2014
    Beans
    83
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Automatically rolling security keys?

    For your own education then fine, but please be sure to point this out to all who join you and chat with you using your hand rolled solution.

  4. #4
    Join Date
    Mar 2007
    Beans
    776

    Re: Automatically rolling security keys?

    Why? What would be the point of rekeying so frequently?
    Registered Linux User: 450747 Registered Ubuntu User: 16269

  5. #5
    Join Date
    Jun 2008
    Beans
    93

    Re: Automatically rolling security keys?

    Quote Originally Posted by ant2ne View Post
    Why?
    • To use a different sized key. The keys in my design will be created at runtime and never stored on disk, so during startup a smaller RSA key would be created in the interest of latency for the user, then replaced with a larger key.
    • To enact a form of forward secrecy (according to my admittedly limited understanding of it). If a given chat is kept open for a long time, it would effectively be the same 'session' for a long time, but if the keys are rolled every X timeframe, it would split it into multiple sessions.


    My biggest question is whether this is useful or not. The idea is I create an arbitrarily sized RSA key (say 2048, which takes about half a second to generate in Java) to transfer an arbitrarily sized AES key (say 256 bit). Then asynchronously I generate a much larger RSA key (say 8096, which takes about 90 seconds to generate) to transfer a new arbitrarily large AES key so the user isn't sitting there waiting for the key to be generated. Then regenerate both RSA and AES keys every arbitrary timeframe (every 30 minutes, every hour, etc.), would this timed regeneration provide any worthwhile security over the data in flight?
    Last edited by pcman312; April 10th, 2014 at 08:09 PM.

  6. #6
    Join Date
    Jun 2008
    Beans
    93

    Re: Automatically rolling security keys?

    Quote Originally Posted by open2reason View Post
    For your own education then fine, but please be sure to point this out to all who join you and chat with you using your hand rolled solution.
    Well, this is a totally self-contained chat program, so the changing of the keys would be made invisible to the user.
    Last edited by pcman312; April 11th, 2014 at 12:01 AM.

  7. #7
    Join Date
    Jun 2008
    Beans
    93

    Re: Automatically rolling security keys?

    If this doesn't provide any valuable security benefits, I want to know that too. Feel free to pick apart and/or destroy the idea.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •