On Tue, Dec 16, 2014 at 07:57:08PM +0000, Viktor Dukhovni wrote: > On Tue, Dec 16, 2014 at 08:46:35PM +0100, Kurt Roeckx wrote: > > > On Tue, Dec 16, 2014 at 06:56:14PM +0000, Viktor Dukhovni wrote: > > > And the browsers should implement SHA-384, and why the hell are we > > > using SHA-384 with AES256-GCM instead of SHA-256 anyway? Surely > > > the SHA256 HMAC construction has adequate strength in this context? > > > > With GCM the collision resistance is important and SHA-256 > > only provides an 128 bit strength for that. > > I've not looked into this, can you elaborate (citation)? Which > attacker controls the SHA2-256 inputs to the TLS PRF? Why are > collisions rather than 2nd preimages the relevant issue?
I think the best reference I can find at this time is: http://www.ietf.org/mail-archive/web/tls/current/msg13313.html But I'm sure I can find others if needed. Kurt _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev