From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Mar 18 18:16:16 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10D553A69BA for ; Fri, 18 Mar 2011 18:16:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsqAFWgz2y2P for ; Fri, 18 Mar 2011 18:16:15 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 30DAE3A69B9 for ; Fri, 18 Mar 2011 18:16:12 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id B566919CF1F; Sat, 19 Mar 2011 01:17:38 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D954619CF1D for ; Sat, 19 Mar 2011 01:17:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id lASF-h9qGXqT for ; Sat, 19 Mar 2011 01:17:37 +0000 (UTC) Received: from vandyke.com (mail.vandyke.com [216.184.10.33]) by mail.netbsd.org (Postfix) with ESMTP id 576F519CF15 for ; Sat, 19 Mar 2011 01:17:37 +0000 (UTC) Received: from [192.168.1.207] (account galb [192.168.1.207] verified) by vandyke.com (CommuniGate Pro SMTP 5.0.9) with ESMTPA id 8143849 for ietf-ssh@NetBSD.org; Fri, 18 Mar 2011 17:17:35 -0600 Message-ID: <4D83E810.3030605@vandyke.com> Date: Fri, 18 Mar 2011 17:17:36 -0600 From: Joseph Galbraith User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 MIME-Version: 1.0 To: ietf-ssh@NetBSD.org Subject: SHA-2 based HMAC algorithm... Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Is there a SHA-2 based HMAC algorithm specified in any of the recent extension RFCs? I looked but didn't see one. Has anyone implement such a thing as a @domain.name extension? Thanks, Joseph From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Mar 18 21:59:41 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C28FD3A6A19 for ; Fri, 18 Mar 2011 21:59:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QnnnrPssf16D for ; Fri, 18 Mar 2011 21:59:40 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 5D0783A6A0E for ; Fri, 18 Mar 2011 21:59:40 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 0263019CE8C; Sat, 19 Mar 2011 05:01:06 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id A13A619CE81 for ; Sat, 19 Mar 2011 05:01:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id pnVpxIKn-ZlT for ; Sat, 19 Mar 2011 05:01:03 +0000 (UTC) Received: from exprod7og113.obsmtp.com (exprod7og113.obsmtp.com [64.18.2.179]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id 6B76819CE6C for ; Sat, 19 Mar 2011 05:01:03 +0000 (UTC) Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob113.postini.com ([64.18.6.12]) with SMTP ID DSNKTYQ4iqayN1LTJPvrT+OAwyBPkkHLKqSg@postini.com; Fri, 18 Mar 2011 22:01:03 PDT Received: from magenta.juniper.net (172.17.27.123) by P-EMHUB02-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server (TLS) id 8.2.254.0; Fri, 18 Mar 2011 21:50:52 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id p2J4q4v40428; Fri, 18 Mar 2011 21:52:04 -0700 (PDT) (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 3607C1141B; Fri, 18 Mar 2011 21:52:04 -0700 (PDT) To: Joseph Galbraith CC: ietf-ssh@NetBSD.org Subject: Re: SHA-2 based HMAC algorithm... In-Reply-To: <4D83E810.3030605@vandyke.com> References: <4D83E810.3030605@vandyke.com> Comments: In-reply-to: Joseph Galbraith message dated "Fri, 18 Mar 2011 17:17:36 -0600." From: "Mark D. Baushke" X-Phone: +1 408 745-2952 (Office) X-Mailer: MH-E 8.2; nmh 1.2; GNU Emacs 22.1.1 X-Face: #8D_6URD2G%vC.hzU MIME-Version: 1.0 Content-Type: text/plain Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Hi Joseph, Joseph Galbraith writes: > Is there a SHA-2 based HMAC algorithm specified in any of > the recent extension RFCs? Given you are asking in ietf-ssh, I suppose you are interested in just the secure shell protocol? If so, the place to look toward the IANA assigned names for the SSHv2 protocol at the http://www.iana.org/assignments/ssh-parameters URL. > I looked but didn't see one. I concur, there is nothing regarding the use of HMAC-SHA-2* algorithms with the secure shell protocol currently listed published in an RFC. If you are interested in SHA-2 based HMAC algorithms listed in the RFCs in general, then there are some recent works which have such references: RFC 5709 (OSPFv2 HMAC-SHA Cryptographic Authentication) which references HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 and has a MUST for HMAC-SHA-256 support. RFC 4868 (Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec) which talks about using them as PRFs for IKE and IKEv2. > Has anyone implement such a thing as a @domain.name extension? For the secure shell protocol, I have seen these macs: hmac-sha256-2@ssh.com hmac-sha512@ssh.com hmac-sha384@ssh.com hmac-sha224@ssh.com hmac-sha256@ssh.com hmac-sha256-96@ssh.com being negotiated, but there may be other folks who are adding their own extension too. -- Mark From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Mar 18 23:54:24 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D5A13A69BE for ; Fri, 18 Mar 2011 23:54:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.558 X-Spam-Level: X-Spam-Status: No, score=-3.558 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gA+2IpVk5tuT for ; Fri, 18 Mar 2011 23:54:23 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 2991E3A67A1 for ; Fri, 18 Mar 2011 23:54:23 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id DE5DB19CEFF; Sat, 19 Mar 2011 06:55:50 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 56AD919CEFD for ; Sat, 19 Mar 2011 06:55:49 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id PFQax7yLThmH for ; Sat, 19 Mar 2011 06:55:48 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 2CF0719CEDA for ; Sat, 19 Mar 2011 06:55:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1300517748; x=1332053748; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20mdb@juniper.net,=20pgut001@cs.auckland.ac.nz |Subject:=20Re:=20SHA-2=20based=20HMAC=20algorithm...|Cc: =20galb-list@vandyke.com,=20ietf-ssh@NetBSD.org |In-Reply-To:=20<52642.1300515632@eng-mail01.juniper.net> |Message-Id:=20|Date:=20Sat,=2019=20Mar=202011=2019:55:42=20+1300; bh=XcQYAgR7uAnIVmiI1aufMxUx/ErTT03PVYjuhWoznEM=; b=c0ga0C9unDDLeoQrM256amD/I3QOXTTLLT9rJkbfy+NYAYWf9h4W2p0J rnY3XVtErLdKzdC0Ua74p7Dr60uApCzvoCZOu1HQl5qi6GtfAEz02Llvt xw5QKRxhjnsTwbGwiYkIFssM/KjhX8VoHPIXWrnC7Qs6S6nfeBBArPPDy 0=; X-IronPort-AV: E=Sophos;i="4.63,209,1299409200"; d="scan'208";a="52001654" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 19 Mar 2011 19:55:43 +1300 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q0q4c-0000dL-JB; Sat, 19 Mar 2011 19:55:42 +1300 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q0q4c-0003Z0-TC; Sat, 19 Mar 2011 19:55:42 +1300 From: Peter Gutmann To: mdb@juniper.net, pgut001@cs.auckland.ac.nz Subject: Re: SHA-2 based HMAC algorithm... Cc: galb-list@vandyke.com, ietf-ssh@NetBSD.org In-Reply-To: <52642.1300515632@eng-mail01.juniper.net> Message-Id: Date: Sat, 19 Mar 2011 19:55:42 +1300 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list "Mark D. Baushke" writes: >For what it is worth, if we are going to give a few mor options, addressing >some of the other issues raised by NIST SP 800-131 might be wise. > >[...] Hmm, are you sure you want to try and get all that in an RFC? The amount of bikeshedding this'll entail will be monumental, while just defining a few new strings for SHA-256 to complement the existing SHA-1 ones should be fairly quick. I guess it depends on what the urgency is, the SHA-1 -> SHA-256 quick fix could be done as a fast-path RFC and then the bikeshedding-magnet change- other-bits-of-the-crypto could be done as a longer-term one. Peter. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Fri Mar 18 23:58:19 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1D3F3A67A1 for ; Fri, 18 Mar 2011 23:58:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.559 X-Spam-Level: X-Spam-Status: No, score=-3.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sDWXiQ-wLi1 for ; Fri, 18 Mar 2011 23:58:18 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 47A613A6783 for ; Fri, 18 Mar 2011 23:58:18 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id A80DD19CF2D; Sat, 19 Mar 2011 06:59:46 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 2749319CF29 for ; Sat, 19 Mar 2011 06:59:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Authentication-Results: mail.NetBSD.org (amavisd-new); dkim=pass header.i=pgut001@cs.auckland.ac.nz Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id z-vBU3KAN+CJ for ; Sat, 19 Mar 2011 06:59:44 +0000 (UTC) Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mx2.auckland.ac.nz", Issuer "AusCERT Server CA" (not verified)) by mail.netbsd.org (Postfix) with ESMTPS id 26DBC19CF28 for ; Sat, 19 Mar 2011 06:59:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1300517984; x=1332053984; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20 |To:=20galb-list@vandyke.com,=20mdb@juniper.net|Subject: =20Re:=20SHA-2=20based=20HMAC=20algorithm...|Cc:=20ietf-s sh@NetBSD.org|In-Reply-To:=20<40481.1300510324@eng-mail01 .juniper.net>|Message-Id:=20|Date:=20Sat,=2019=20Mar=202011=2018:28: 47=20+1300; bh=bzS2oyFsCGqRdXj0gT7UAcJAFrJEOKDL/uKVS7GXY3s=; b=M2Q14LbmK1xHJP2xwSvALE/uxLddSW8FsxdK8Diggf6ZlO5081fn6vZp FuEkNnJd1/YVg4sTpybfllZ6HUgyvp6V/h4NKh5cz6ogKZpGJNrAOqYrX G0asDq8AecXmeVS9TmccAPAGTD0aStSmYC4W44MLTrG28Yjla8YXEEia8 s=; X-IronPort-AV: E=Sophos;i="4.63,209,1299409200"; d="scan'208";a="51998506" X-Ironport-HAT: APP-SERVERS - $RELAYED X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 19 Mar 2011 18:28:47 +1300 Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1Q0oiV-0006fk-Gr; Sat, 19 Mar 2011 18:28:47 +1300 Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from ) id 1Q0oiV-00084Z-5u; Sat, 19 Mar 2011 18:28:47 +1300 From: Peter Gutmann To: galb-list@vandyke.com, mdb@juniper.net Subject: Re: SHA-2 based HMAC algorithm... Cc: ietf-ssh@NetBSD.org In-Reply-To: <40481.1300510324@eng-mail01.juniper.net> Message-Id: Date: Sat, 19 Mar 2011 18:28:47 +1300 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list "Mark D. Baushke" writes: >For the secure shell protocol, I have seen these macs: > > hmac-sha256-2@ssh.com ^ I've heard of two-bit security mechanisms, but I've never seen one used in an actual protocol before. >but there may be other folks who are adding their own extension too. Give that SHA-2 is becoming more widespread, perhaps we need a quick RFC, or at least an ad-hoc implementers agreement, on naming for this before we get dozens of hmac-sha256@bobs-pizza-shack.com extensions. Peter. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sat Mar 19 01:13:12 2011 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 67B4A3A6A15 for ; Sat, 19 Mar 2011 01:13:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKNoHWa2huni for ; Sat, 19 Mar 2011 01:13:11 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7:216:3eff:fe67:11]) by core3.amsl.com (Postfix) with ESMTP id 80D963A6A0E for ; Sat, 19 Mar 2011 01:13:11 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id D8FE619CF1B; Sat, 19 Mar 2011 08:14:36 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 8D0E319CF1A for ; Sat, 19 Mar 2011 08:14:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 9HZx0Ms1hVBe for ; Sat, 19 Mar 2011 08:14:35 +0000 (UTC) Received: from exprod7og121.obsmtp.com (exprod7og121.obsmtp.com [64.18.2.20]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.netbsd.org (Postfix) with ESMTPS id C45E619CF19 for ; Sat, 19 Mar 2011 08:14:34 +0000 (UTC) Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob121.postini.com ([64.18.6.12]) with SMTP ID DSNKTYRl6tmhRQU+PK3uFC0fXXoBb06bfEMr@postini.com; Sat, 19 Mar 2011 01:14:34 PDT Received: from magenta.juniper.net (172.17.27.123) by P-EMHUB02-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server (TLS) id 8.2.254.0; Sat, 19 Mar 2011 00:58:54 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id p2J805v87647; Sat, 19 Mar 2011 01:00:05 -0700 (PDT) (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id B853D11446; Sat, 19 Mar 2011 01:00:05 -0700 (PDT) To: Peter Gutmann CC: galb-list@vandyke.com, ietf-ssh@NetBSD.org Subject: Re: SHA-2 based HMAC algorithm... In-Reply-To: References: Comments: In-reply-to: Peter Gutmann message dated "Sat, 19 Mar 2011 19:55:42 +1300." From: "Mark D. Baushke" X-Mailer: MH-E 8.2; nmh 1.2; GNU Emacs 22.1.1 X-Face: #8D_6URD2G%vC.hzU MIME-Version: 1.0 Content-Type: text/plain Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Peter Gutmann writes: > Hmm, are you sure you want to try and get all that in an RFC? I suppose RFC 4432 already has the rsa2048-sha256 covered and using ECDH from RFC 5656 for KEX addresses the issues with DH not really using sha256. Adding hmac-sha256 is likely going to be faster than using AED_AES_128_GCM. So, yes, it would be best to do the hmac-sha2 stuff first and let RFCs 4432, 5647 and 5656 address the bit strength issues of NIST SP 800-131. -- Mark