[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Dec 16 21:58:10 UTC 2014
On Tue, Dec 16, 2014 at 10:48:08PM +0100, Kurt Roeckx wrote:
> On Tue, Dec 16, 2014 at 07:57:08PM +0000, Viktor Dukhovni wrote:
> > On Tue, Dec 16, 2014 at 08:46:35PM +0100, Kurt Roeckx wrote:
> >
> > > On Tue, Dec 16, 2014 at 06:56:14PM +0000, Viktor Dukhovni wrote:
> > > > And the browsers should implement SHA-384, and why the hell are we
> > > > using SHA-384 with AES256-GCM instead of SHA-256 anyway? Surely
> > > > the SHA256 HMAC construction has adequate strength in this context?
> > >
> > > With GCM the collision resistance is important and SHA-256
> > > only provides an 128 bit strength for that.
> >
> > I've not looked into this, can you elaborate (citation)? Which
> > attacker controls the SHA2-256 inputs to the TLS PRF? Why are
> > collisions rather than 2nd preimages the relevant issue?
>
> I think the best reference I can find at this time is:
> http://www.ietf.org/mail-archive/web/tls/current/msg13313.html
>
> But I'm sure I can find others if needed.
I believe the author of that message is mistaken.
--
Viktor.
More information about the openssl-dev
mailing list