Nikos: >>>> A comment on this draft is that it might be misleading on the >>>> security levels it claims. It mentions: "The Fact Sheet on Suite >>>> B Cryptography requires key establishment and authentication >>>> algorithms based on Elliptic Curve Cryptography and encryption >>>> using AES [AES]. Suite B algorithms are defined to support two >>>> minimum levels of security: 128 and 192 bits." >>>> >>>> However the (D)TLS Finished message is protected by a 96-bit >>>> MAC, thus an attacker that can break a 96-bit MAC can manipulate >>>> the TLS handshake in any way he desires (TLS version rollback, >>>> removal of extensions and possibly more). IMO this disqualifies >>>> the proposed ciphersuites from claiming more than 96-bits of >>>> security. >>> It is important to distinguish between off-line and on-line >>> attacks. It is common (though perhaps not universal) to rate the >>> strength of cryptography in terms of resistance to off-line attack, >>> and that is what Suite B minimum levels of security express. > > Having a second read on the document I don't think this is the case. The > document specifies > The TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > and > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 > > The fact that the SHA-384 is used in the latter case in combination with > AES_256 it implies that SHA256 was replaced by SHA384 to increase the > security (the same way AES-128 was replaced by AES-256). However there > is no evidence that a 96-bit SHA384 based MAC is stronger than a 96-bit > SHA256 MAC. Elsewhere in the Suite B profiles, SHA-384 is always paired with AES-256 and EC algorithms using the P-384 curve. This selection was done for consistency. Also, make sure you do not confuse the use of ECDSA with SHA-384 with HMAC with SHA-384. Russ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf