[strongSwan] Security Comparison
pupilla at hotmail.com
Fri Jul 20 14:43:55 CEST 2018
I think this is an underestimated point. Deserves more attention.
> The cryptographic strength of all ciphers in a cipher suite should be
> consistent. For instance, using AES-256 for ESP is basically wasted
> when using MODP-2048 because that has only an estimated strength of 112
> bits (same for ECP-256 whose estimated strength is 128 bits).
Adding your above remark to  would be extremely useful.
According to this paper  MODP-1536 is broken (< 112 bits of security
strength), and according to this nist publication , the only way to
be consistent with AES-256 is ECP-521 (diffie hellmann group 21) or x25519
(diffie hellmann group 31).
The MODP-3072 or ECP-256 is the minimum for being consistent with AES-128.
So a simple consistent table could be:
AES-128 ==>> MODP-3072 or ECP-256
AES-192 ==>> MODP-8192 or ECP-384
AES-256 ==>> ECP521 or x25519
More information about the Users