
Damage & Defense…
Key Lifetime—Short versus Long and PFS
When planning your VPN deployment, consideration should be given to the key
lifetime and perfect forward secrecy in relation to security. Since enabling PFS
requires additional processing time and resources some administrators choose
not to use it, instead opting for a shorter key lifetime. This, however, can be a
bad practice. If a successful man-in-the-middle attack was able to discover the
SKEYID_d key, all keys derived from this key could be compromised. Enabling PFS,
even with a longer key life, is actually a more secure practice than having a short
key life with no PFS.
Public Key Cryptography ...