[noise] Hash len > cipher len in tls1.2
Trevor Perrin
trevp at trevp.net
Tue Mar 8 16:24:23 PST 2016
On Fri, Mar 4, 2016 at 4:47 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Hi guys,
>
> I haven't looked in depth into the details, but recently while doing some
> menial sysadmin labor, I noticed that TLS1.2 cipher suites always have a
> hash length bigger than the cipher key length. AES128 uses SHA256 and AES256
Noise doesn't use 128-bit ciphers, it uses 256-bit ciphers even with
hash functions and curves that only offer ~128 bits security.
This is because ciphers might be subject to precomputation attacks, it
cheaply buys extra security margin, and reduces the number of options.
> uses SHA384. I was wondering if we should consider the same thing here for
> Noise. Namely, suggesting Blake2b over Blake2s, since ChaCha is 256 bits.
Noise already suggests "super-sizing" the curve and hash, if you want:
"For an extreme security margin, you could use the 448 DH functions
with either AESGCM_SHA512 or ChaChaPoly_BLAKE2b."
Trevor
More information about the Noise
mailing list