Hi, Thanks for producing this and the other IETF documents profiling the CNSA suite. I think it is very good to have strict profiles specified for a high security level.
"The approved CNSA hash function for all purposes is SHA-384, as defined in [FIPS180]. However, SHA-512 is recommended for PRF instead of SHA-384 due to availability. See Section 8 below." "The named UI suites use SHA-512 for PRF since SHA-384 is not listed among required PRF or integrity algorithms in [RFC8247], the security level is comparable, and the difference in performance is negligible. However, SHA-384 is the official CNSA algorithm for computing a condensed representation of information. Therefore, SHA-384 implementations for PRF or integrity MAY be used." The wording makes it sound like SHA-512 is recommended over SHA-384 when both are available. Is that the intention? Is it correct that SHA-384 is significantly less available than SHA-512? While this is definitly correct for SSH (https://ssh-comparison.quendi.de/), the IKEv2 implementations I have seen implements both. 3GPP TS 33.210 has for a long term recommended support of SHA-384, one reason being alignment with Suite B and CNSA. If there is a big difference in availability, 3GPP might need to update it's profile. Cheers, John _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
