[strongSwan] Security Comparison

Andreas Steffen andreas.steffen at strongswan.org
Fri Jul 20 17:14:13 CEST 2018

Hi Marco,

actually X25519 DH group 31 has a security strength of 128 bits, similar
to ECP-256, although the Curve25519 characteristics are much better
than those of the ECP-256 NIST curve.

The "Goldilocks" X448 (DH group 32) has a security strength of 224 bits
which is half-way between 192 bits and 256 bits. strongSwan doesn't
support X448 yet.

Best regards


On 20.07.2018 14:43, Marco Berizzi wrote:
> Hi Tobias,
> I think this is an underestimated point. Deserves more attention.
>> The cryptographic strength of all ciphers in a cipher suite should be
>> consistent.  For instance, using AES-256 for ESP is basically wasted
>> when using MODP-2048 because that has only an estimated strength of 112
>> bits (same for ECP-256 whose estimated strength is 128 bits).
> Adding your above remark to [3] would be extremely useful.
> According to this paper [1] MODP-1536 is broken (< 112 bits of security
> strength), and according to this nist publication [2], the only way to
> be consistent with AES-256 is ECP-521 (diffie hellmann group 21) or x25519
> (diffie hellmann group 31).
> The MODP-3072 or ECP-256 is the minimum for being consistent with AES-128.
> So a simple consistent table could be:
> AES-128 ==>> MODP-3072 or ECP-256
> AES-192 ==>> MODP-8192 or ECP-384
> AES-256 ==>> ECP521 or x25519
> [1] https://csrc.nist.gov/csrc/media/publications/sp/800-131a/rev-1/final/documents/sp800-131a_r1_draft.pdf
> [2] https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf
> [3] https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180720/76b149cc/attachment-0001.bin>

More information about the Users mailing list