On Tue, Jan 8, 2019 at 9:50 AM Tom Henderson <[email protected]> wrote: > On 1/8/19 5:57 AM, Eric Rescorla wrote: > > > The second preimage attack resistance is 96 bits, plus whatever work > > is needed to generate the keys. > > > > I agree that this is in RFC 7343, but it doesn't seem to be stated > > anywhere in this document, and given that this text talks about both 64 > > bit and >= 100 bit hash functions, I'm not sure how to get it from this > > text, which is in context quite confusing/ > > I agree that the text could be clarified; I will try to suggest > something more. > > > > > There isn't any mechanism defined to extend this, such as the CGA > > Hash Extension, but it seems to me that HIP could be extended in a > > similar way. My recollection is that the WG had thought 96 bits to > > be strong enough preimage resistance. > > > > Generally, we are targeting the 128-bit security level for new > deployments > > > > Can you provide a reference for the 128-bit recommendation? >
I don't believe there is a policy, but for instance, see: https://tools.ietf.org/html/rfc7525#section-4.1 > Also, how are legacy uses like SEND/CGA handling this new target (or are > they just considered legacy at this point)? > As far as I understand it, they are legacy. -Ekr > - Tom >
_______________________________________________ Hipsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/hipsec
