[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Last ditch proposal for crypto suites
I know SHA-2 is a bit new, but I think it is worth it for the following
good reasons.
1. It's better to just have one hash in the suite for all uses. As a
rule of thumb I always try to select a hash with twice the bits of the
corresponding block cipher, mainly because of because of the square root
attack (birthday attack). So AES-128 should use SHA2-256.
2. SHA-2 is scalable, with different hash lengths available (256, 384, 512),
which compliment AES key lengths nicely. Assuming SHA-2 holds up
then this will give us a simple implementation path to be forward
compatible without issuing a new RFC for a new flavor-of-the-year hash.
- Alex
At 08:00 AM 8/30/2002 -0700, Walker, Jesse wrote:
>Hi Paul,
>
>I agree with you. SHA1 is the right choice. No one has presented a plausible
>argument why IPsec should migrate to SHA2 for data origin authenticity.
>
>There are other selections needed to complete the cipher suite:
>
>1. PRF
>2. Diffie-Hellman group
>3. RSA key size
>
>SHA2 might be an appropriate choice to use in the PRF, given that was
>designed with the intent of supporting 128- and 256-bit key derivation. I am
>only raising a point for discussion, not making or defending a suggestion.
>
>-- Jesse
>
--
Alex Alten
Alten@ATTBI.com