Hi, The recent renaming of the ChaCha20-Poly1305 cipher suites brought something to my attention that I hadn't thought about before. It seems like it might be better to use HKDF-SHA512 instead of HKDF-SHA512, and then rename the ChaCha20-Poly1305 cipher suites to _SHA512. Or, use SHA-384.
It seems like ChaCha20-Poly1305 is likely to be implemented along with Ed26619 and x25519. Ed25519 already has a hard requirement of SHA-512; see [1]. Also, existing TLS cipher suites with 256-bit keys, the TLS_*_AES_256_GCM_SHA384 cipher suites, use SHA-384 as the PRF digest; see [2]. Note that SHA-384 is SHA-512 with a different IV, truncated to 384 bits. I've heard that Apple's HomeKit protocol also uses HKDF-SHA512 (With Ed25519 and x25519). Ed25519, x25519, ChaCha20-Poly1305, and HomeKit (I've heard) are all designed for ease of safe, fast, implementation on devices with limited resources. In particular, such devices might prefer to have a larger and faster implementation of SHA512 but a smaller and slower SHA-256, and/or forgo SHA-256 completely. Or, they might have a hardware implementation of SHA-512 instead of a the more-common-today hardware implementation of SHA-256. Thus, it is far from obvious that SHA-256 is the best choice for these cipher suites. WDYT? [1] https://tools.ietf.org/html/draft-josefsson-eddsa-ed25519-02#section-5 [2] https://tools.ietf.org/html/rfc5289#section-3.2. Cheers, Brian -- https://briansmith.org/
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
