On 10/16/2011 09:23 AM, Nikos Mavrogiannopoulos wrote: >>> A comment on this draft is that it might be misleading on the >>> security levels it claims. It mentions: "The Fact Sheet on Suite >>> B Cryptography requires key establishment and authentication >>> algorithms based on Elliptic Curve Cryptography and encryption >>> using AES [AES]. Suite B algorithms are defined to support two >>> minimum levels of security: 128 and 192 bits." >>> >>> However the (D)TLS Finished message is protected by a 96-bit >>> MAC, thus an attacker that can break a 96-bit MAC can manipulate >>> the TLS handshake in any way he desires (TLS version rollback, >>> removal of extensions and possibly more). IMO this disqualifies >>> the proposed ciphersuites from claiming more than 96-bits of >>> security. >> It is important to distinguish between off-line and on-line >> attacks. It is common (though perhaps not universal) to rate the >> strength of cryptography in terms of resistance to off-line attack, >> and that is what Suite B minimum levels of security express. Having a second read on the document I don't think this is the case. The document specifies The TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 The fact that the SHA-384 is used in the latter case in combination with AES_256 it implies that SHA256 was replaced by SHA384 to increase the security (the same way AES-128 was replaced by AES-256). However there is no evidence that a 96-bit SHA384 based MAC is stronger than a 96-bit SHA256 MAC. regards, Nikos _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf