[strongSwan] Security Comparison
Marco Berizzi
pupilla at hotmail.com
Fri Jul 20 14:43:55 CEST 2018
Hi Tobias,
I think this is an underestimated point. Deserves more attention.
> The cryptographic strength of all ciphers in a cipher suite should be
> consistent. For instance, using AES-256 for ESP is basically wasted
> when using MODP-2048 because that has only an estimated strength of 112
> bits (same for ECP-256 whose estimated strength is 128 bits).
Adding your above remark to [3] would be extremely useful.
According to this paper [1] MODP-1536 is broken (< 112 bits of security
strength), and according to this nist publication [2], the only way to
be consistent with AES-256 is ECP-521 (diffie hellmann group 21) or x25519
(diffie hellmann group 31).
The MODP-3072 or ECP-256 is the minimum for being consistent with AES-128.
So a simple consistent table could be:
AES-128 ==>> MODP-3072 or ECP-256
AES-192 ==>> MODP-8192 or ECP-384
AES-256 ==>> ECP521 or x25519
[1] https://csrc.nist.gov/csrc/media/publications/sp/800-131a/rev-1/final/documents/sp800-131a_r1_draft.pdf
[2] https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf
[3] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
More information about the Users
mailing list