Hi there, Daksong!
There is precious little documentation available for OpenSSL.
Even the manual [ http://www.openssl.org/docs/ ] is incomplete.
I only found one single article on the web, archived from Usenet.
The message contains the quote:
" -k key_gen_time
Specifies how often the ephemeral protocol version 1
server key
is regenerated (default 3600 seconds, or one hour). The
motiva-
tion for regenerating the key fairly often is that the
key is not
stored anywhere, and after about an hour, it becomes
impossible
to recover the key for decrypting intercepted
communications even
if the machine is cracked into or physically seized. A
value of
zero indicates that the key will never be regenerated."
As you can see, it performs the operation by itself every hour.
Another section contains:
"Yes, you do want renegotiations, for two reasons. One is that if you
use
the same key over a long period of time, you offer too much same-keyed
cryptographic material to an attacker, and increase his chances of a
successful attack. The second is that you limit the amount of data
that
can be compromised should someone get hold of your current key."
So basically, it isn't a bad idea to rekey every so often and would
strengthen security considerably.
To view the entire thread, view the following (very long) URL:
http://groups.google.co.uk/groups?hl=en&lr=&ie=UTF-8&safe=off&threadm=20030411025825.GK79923%40perrin.int.nxad.com&rnum=1&prev=/groups%3Fq%3Drekey%2Bopenssl%2Boften%26hl%3Den%26lr%3D%26ie%3DUTF-8%26safe%3Doff%26selm%3D20030411025825.GK79923%2540perrin.int.nxad.com%26rnum%3D1
I hope that this makes it a little more clear for you.
Kind regards,
errol-ga.
Related Google searches:
"openssl rekey"
://www.google.co.uk/search?q=openssl+rekey
"openssl session timeout"
://www.google.co.uk/search?q=openssl+session+timeout |
,
0 Comments
)