[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Dec 16 19:57:08 UTC 2014
On Tue, Dec 16, 2014 at 08:46:35PM +0100, Kurt Roeckx wrote:
> On Tue, Dec 16, 2014 at 06:56:14PM +0000, Viktor Dukhovni wrote:
> > And the browsers should implement SHA-384, and why the hell are we
> > using SHA-384 with AES256-GCM instead of SHA-256 anyway? Surely
> > the SHA256 HMAC construction has adequate strength in this context?
>
> With GCM the collision resistance is important and SHA-256
> only provides an 128 bit strength for that.
I've not looked into this, can you elaborate (citation)? Which
attacker controls the SHA2-256 inputs to the TLS PRF? Why are
collisions rather than 2nd preimages the relevant issue?
Though of course with AEAD the PRF is not used for a bulk data
checksum, so its performance is largely irrelevant.
Why aren't the browsers implementing the AESGCM256 + SHA384 variants?
--
Viktor.
More information about the openssl-dev
mailing list