When do I need to renew keys for Salsa20 or HMAC?

Question

I currently have a system which uses two keys sourced from a single key subjected to HKDF. One key is used in the Salsa20 stream cipher and the other is used for a SHA-2 based HMAC.

Given that the stream cipher (Salsa20) is being used for a persistent stream lasting a long time (perhaps hours) with frequent data exchange, is key renewal required (where the key used for the cipher is renegotiated)?

Furthermore, is there a defined period of time in which this key renewal should take place? I read this question here and found that stream ciphers like RC4 and Salsa20 have a period, but is there any security vulnerability in letting their internal counters rollover?

The same questions apply for the SHA-2 HMAC: should the key for the HMAC be replaced after some period of time? Or is the act of replacing the key itself a security vulnerability.

I can provide code if that would be helpful.

Answer 1

Salsa20 has essentially no limits on its own for data volume: it can be used for up to $2^{64}$ messages of up to $2^{70}$ bytes apiece. You could use it in a nonstandard way for, say, more messages if they're each smaller, by carving up the input to the PRF differently, as long as the total volume of data is below $2^{134}$ bytes. You certainly can't exhaust this volume or even this many messages in a few hours. There's no reason to complicate a protocol with key rotation just to limit the number of bytes or messages encrypted under a Salsa20 key.

But you may want to deliberately erase a conversation. For that to be effective, you must be able to erase the key that can decrypt a transcript of the ciphertext over the network. How often you do that depends on your protocol: for example, with modern messengers, key erasure happens after every message, while with TLS, it typically happens after a TLS session completes (though there have been a raft of historical mistakes in the design and implementation of TLS session resumption failing to erase keys).