If this protocol encrypted a long running session (assuming it was used with a suitable handshake protocol)
and one of the machines was compromised, then the attacker would be able to decrypt logged messages back to the start of the connection.
A simple way to improve this would be to rehash the key every N packets or M bytes, so key becomes hash(key), and the old key is deleted from memory. You can't predict x given hash(x), so the attacker won't know the key for previous sessions.
though it has come to my attention that some say that keys should not be derived by simply hashing something - that the output might not be as random as you think: https://eprint.iacr.org/2010/264.pdf
This will require more investigation... I think if you hmac'd the key that would be okay.
If this protocol encrypted a long running session (assuming it was used with a suitable handshake protocol) and one of the machines was compromised, then the attacker would be able to decrypt logged messages back to the start of the connection.
A simple way to improve this would be to rehash the key every N packets or M bytes, so
keybecomeshash(key), and the old key is deleted from memory. You can't predictxgivenhash(x), so the attacker won't know the key for previous sessions.though it has come to my attention that some say that keys should not be derived by simply hashing something - that the output might not be as random as you think: https://eprint.iacr.org/2010/264.pdf This will require more investigation... I think if you hmac'd the key that would be okay.