[TLS] RC4+3DES rekeying - long-lived TLS connections

[Martin Rex <mrex at sap.com>]

Peter Saint-Andre wrote:
> 
>                                            ...  For example in XMPP
> we use long-lived TCP connections and, on top of those, long-lived XML
> streams that can be TLS-protected. In practice, for server-to-server
> federation (and even for client-to-server communication) those
> connections might be up for days, weeks, even months. At this point the
> handling of long-lived XML streams is unspecified, but I would expect
> most XMPP servers to terminate the connection and force the other party
> to reconnect.

There was a discussion around long-lived SSL connections and
reasons for rekeying, e.g. using TLS renegotiation on mogul-open.

If you're using ciphersuites with RC4 or 3DES encryption algorithms,
you probably should not use such connections for prolonged times
or huge amounts of data without rekeying (see below).

The other issue: if you're authenticating such a connection once
based on X.509 certificates and leave it open for month, you might
want to talk to the PKIX folks about this.

They might feel uneasy if you happily continue to communicate
based on an authentication that was weeks or months in the past
and do not care at all the authentication cert may have long
expired or been revoked in the meantime.

(I'm not a crypto-guy, so I'm just quoting this:)

: Subject: Re: DES & renegotiation
: Date:    Thu, 19 Nov 2009 17:08:36 -0800
: From:    Geoff Keating <geoffk at apple.com>
:
:
: For an 64-bit block cipher, at 2^32 blocks (32Gbytes), there's about a
: 40% chance of a collision.  If you prefer your cryptosystems to have
: more like a 1-in-a-million chance of leaking information, you'd need to
: re-key every 48Mbytes or so.  (For 128-bit blocks a 1-in-a-million
: chance requires petabytes of data.)
:
: Most web servers on the visible Internet do support AES; in fact, well
: over half support TLS_DHE_RSA_WITH_AES_256_CBC_SHA (although among the
: most popular servers, the non-DHE AES variants are chosen more often).
: When asking servers to negotiate a cipher out of a fairly long list,
: I found:
:
: 71% AES
: 25% RC4
: 4% 3DES
: (values add to 100% only because of rounding)
:
: A quick survey of 30 randomly-chosen servers that chose 3DES indicated
: that most were running Apache 1.3.x with a variety of older OpenSSL
: versions, the most recent being 0.9.6i.  A few were running IIS/6.0.


-Martin

PS: WinXP and Win2K3 do not support AES ciphersuites.
    Btw. WinXP was shipped with new NetBooks well into 2009.