0

OpenVPN allows the use of their 'reneg-sec' option to renegotiate keys for the data channel at a specified interval. This helped protect against exploits like Sweet32 with 64 bit block ciphers a while ago. Apparently, only 32GB of retrieved data is needed on a 64 bit block to reach the birthday bound for which the cipher becomes unsafe.

However with larger ciphers, this bound becomes increasingly more difficult to achieve, probably up to the realm of impossibility in a practical sense. For example, a 128 bit cipher would need 256 exabytes of data, whilst a 256 bit cipher would need approximately 2.7 * 10^13 exabytes of data, much more data than there was meant to be on the entire internet in 2019. Therefore, when using ciphers of this length, surely key renegotiation is no longer necessary when the amount of data required to exploit it is practically impossible to get from a session?

I've checked some of NordVPN's OpenVPN configurations, and they have their client side reneg-sec option set to 0 to disable the renegotiation whilst using AES-256-GCM as the cipher. This seems to backup my belief that with these larger ciphers comes the deprecation of such an option.

Is my thinking correct? Or are there still other advantages/exploits that using renegotiation every hour or so achieves/protects against? Thanks.

Letal1s
  • 99
  • 6

1 Answers1

1

There are no known practical attacks against AES-256-CBC no matter how much data you have recorded, to my knowledge.

Now, I professionally tell complete strangers to change their keys often to avoid IV reuse, especially with CBC. Is this a practical concern for most applications? Probably not. But it's considered best practice last I read.

foreverska
  • 1,115
  • 11
  • Thanks for the insight, although I made a mistake from what I found in some configurations. It wasn't a CBC cipher it was AES-256-GCM. For GCM 256 bits, would it be safe to not renegotiate so that I don't get any interruptions? – Letal1s May 18 '22 at 16:11
  • GCM has it's own peculiarities surround it's IV. But IV reuse is still a concern. But security is all about threat models. When we talk about IV reuse we are saying two completely randomly chosen IVs are the same. Feel free to calculate those odds, the amount of data that happens in the mean time and how much data you produce per second. Then consider if your attacker has that much attention span. But officially, you should change your keys periodically to avoid this threat. – foreverska May 18 '22 at 16:37
  • Thanks. I guess if commercial VPN providers are disabling renegotiation they can't think it's that much of a problem for my use case. However to be on the safe side, I think I might set my renegotiation period to 24hrs for if I keep connected for a very long time. – Letal1s May 18 '22 at 16:44