Re: [Cfrg] [saag] [Fwd: I-D ACTION:draft-turner-sha0-sha1-seccon-00.txt]

[Paul Hoffman <paul.hoffman@vpnc.org>]

At 10:51 AM -0700 10/4/10, Dan Harkins wrote:
>On Sun, October 3, 2010 2:35 pm, Paul Hoffman wrote:
>>>One further comment: I am a bit uncertain to why you refer to SHA-256
>>>from the SHA-2 family only (and thus not mention/exclude SHA-512)?
>>
>> Because the IETF almost always deals only with 128-bit strength security,
>> and using SHA-384 or SHA-512 is just as waste of processor and network
>> resources in such cases.
>
>  That's an odd statement. There is suite B guidance for use of quite alot
>of IETF protocols-- TLS, SSH, IKE/IPsec, S/MIME-- that provide for more
>than "128-bit strength security". The qualifier ("almost always") even adds
>to the oddness. Check out the D-H groups for use in IKE. They run the gamut
>of strength estimates. Arguably neither of the cryptographic suites for
>IPsec from RFC 4308, of which you are the author, provides 128-bits of
>strength security (the required D-H groups afford approximately 80 to
>"VPN-A" and 112 bits to "VPN-B").

Right; this my purposeful vagueness above.

>  We continue to define the use of ciphers with > 128 bit keys. We
>continue to define the use of D-H groups that produce shared secrets
>of > 128 bits of approximate strength. Hash algorithms that can be used
>in key derivation, key confirmation, and digital signatures which afford
>greater than 128-bits of approximate strength should not be excluded.

All true, but not relevant to the text I gave. The draft as it stands *also* doesn't say what to do for signatures that are meant to be at strengths greater than 128 bits; it is about not using SHA-0 at all and not specifying SHA-1 as the default.

If there is a desire for a different document that tells security protocol writers what signature algorithms would be good to include as mandatory, that's fine, but it should not be this document.

--Paul Hoffman, Director
--VPN Consortium