5

Is there any Best Practice as far as changing IPSec pre-shared keys for security purposes? Obviously, larger companies would have a issue changing these and then pushing the new key out to the user machines. Any thoughts?

OtherDevOpsGene
  • 1,475
  • 12
  • 12
George Coles
  • 51
  • 1
  • 2
  • I think this will probably turn out to be opinionated. I'd say you only have to change it if you believe your system is compromised. Scrub your system before changing it, and make sure your each VPN has a separate PSK. – RoraΖ Oct 17 '14 at 13:23

1 Answers1

7

Changing the key will give you any benefit only if all following properties are met:

  • The old key has somehow leaked and an evil-minded outsider knows it.
  • Whatever method used to leak the old key will not be easily and promptly reproduced by that outsider.
  • The aforementioned outsider has not completely plundered your data, installed malware and backdoors on your machines, and generally plunged your network into utter chaos, making the point moot.

Now that we have computers and networks, these three properties are only very rarely met together. The habit of changing keys regularly comes from older times, before computers, and in military contexts. Armies know that they must deal with, at any time, a number of infiltrated agents; such agents can deal some harm, but need time and continued presence of that; and cryptographic algorithms from the 1930s were invariably somewhat weak, making gradual leaks unavoidable. In an army from that era, changing keys on a weekly or daily basis made a lot of sense. In 2014 with computers and networks, much less so. Algorithms and protocols used in IPsec can encrypt thousands of terabytes without leaking anything about the key; and if an intruder learns the key then he will enact his mischiefs in a matter of seconds, not weeks. We can thus say that changing pre-shared keys for IPsec is mostly useless.

You may still need to change keys, as a "best practice", not to prevent or contain attacks, but to ease the qualms of people who still think with a 1930s' mindset, and believe that "security" is some sort of commodity that you can obtain in bulk and accumulate through best practices. Since there is no real scientific base for a key renewal frequency, every organization that publishes "best practices" tends to make its own mix, with frequencies typically ranging between "once per week" and "every three months".

Making sure that each clients for your VPN has his own pre-shared key, distinct from other clients, is another matter. That is very useful, because it allows you to basically evict any client without having to trust him for no longer using his key, and without redistributing a new key to all other clients. So don't renew keys on a regular basis; instead, make sure that each client has its own key. This will be a lot more useful for security.

Thomas Pornin
  • 326,555
  • 60
  • 792
  • 962
  • How does this line of thought relate to https certificates that nowadays rotate relatively frequently? I thought the argument was also due to risks around the key over long periods of time. – eglasius Oct 09 '20 at 06:48