[strongSwan] Security Comparison
andreas.steffen at strongswan.org
Fri Jul 20 17:14:13 CEST 2018
actually X25519 DH group 31 has a security strength of 128 bits, similar
to ECP-256, although the Curve25519 characteristics are much better
than those of the ECP-256 NIST curve.
The "Goldilocks" X448 (DH group 32) has a security strength of 224 bits
which is half-way between 192 bits and 256 bits. strongSwan doesn't
support X448 yet.
On 20.07.2018 14:43, Marco Berizzi wrote:
> Hi Tobias,
> I think this is an underestimated point. Deserves more attention.
>> The cryptographic strength of all ciphers in a cipher suite should be
>> consistent. For instance, using AES-256 for ESP is basically wasted
>> when using MODP-2048 because that has only an estimated strength of 112
>> bits (same for ECP-256 whose estimated strength is 128 bits).
> Adding your above remark to  would be extremely useful.
> According to this paper  MODP-1536 is broken (< 112 bits of security
> strength), and according to this nist publication , the only way to
> be consistent with AES-256 is ECP-521 (diffie hellmann group 21) or x25519
> (diffie hellmann group 31).
> The MODP-3072 or ECP-256 is the minimum for being consistent with AES-128.
> So a simple consistent table could be:
> AES-128 ==>> MODP-3072 or ECP-256
> AES-192 ==>> MODP-8192 or ECP-384
> AES-256 ==>> ECP521 or x25519
>  https://csrc.nist.gov/csrc/media/publications/sp/800-131a/rev-1/final/documents/sp800-131a_r1_draft.pdf
>  https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf
>  https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users