Nikos: >>>>>> more than 96-bits of security. >>>>> It is important to distinguish between off-line and on-line >>>>> attacks. It is common (though perhaps not universal) to rate >>>>> the strength of cryptography in terms of resistance to off-line >>>>> attack, and that is what Suite B minimum levels of security >>>>> express. >>> >>> Having a second read on the document I don't think this is the >>> case. The document specifies The >>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and >>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 >>> >>> The fact that the SHA-384 is used in the latter case in combination >>> with AES_256 it implies that SHA256 was replaced by SHA384 to >>> increase the security (the same way AES-128 was replaced by >>> AES-256). However there is no evidence that a 96-bit SHA384 based >>> MAC is stronger than a 96-bit SHA256 MAC. >> Elsewhere in the Suite B profiles, SHA-384 is always paired with >> AES-256 and EC algorithms using the P-384 curve. This selection was >> done for consistency. > > This is however, cannot be deducted from the document. The document > describes two combinations of suites one of 128-bit security level and > another of 192-bit. In the 128-bit security level a SHA-256 PRF is used > and in the 192-bit the SHA-384 PRF. To someone reading this document it > is apparent that the choice of the SHA-384 PRF is done to increase to a > 192-bit security level. However, as you say this is not the case, and > this IMO deserves at least a sentence in the security considerations > section. If this document were defining the ciphersuites, I might agree. However, this document is using ciphersuites that are defined in other documents. This document should not be commenting on the security properties of ciphersuites, except to say that they are sufficient for Suite B. Russ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf