[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Kurt Roeckx
kurt at roeckx.be
Tue Dec 16 21:48:08 UTC 2014
On Tue, Dec 16, 2014 at 07:57:08PM +0000, Viktor Dukhovni wrote:
> On Tue, Dec 16, 2014 at 08:46:35PM +0100, Kurt Roeckx wrote:
>
> > On Tue, Dec 16, 2014 at 06:56:14PM +0000, Viktor Dukhovni wrote:
> > > And the browsers should implement SHA-384, and why the hell are we
> > > using SHA-384 with AES256-GCM instead of SHA-256 anyway? Surely
> > > the SHA256 HMAC construction has adequate strength in this context?
> >
> > With GCM the collision resistance is important and SHA-256
> > only provides an 128 bit strength for that.
>
> I've not looked into this, can you elaborate (citation)? Which
> attacker controls the SHA2-256 inputs to the TLS PRF? Why are
> collisions rather than 2nd preimages the relevant issue?
I think the best reference I can find at this time is:
http://www.ietf.org/mail-archive/web/tls/current/msg13313.html
But I'm sure I can find others if needed.
Kurt
More information about the openssl-dev
mailing list