On Wed, Mar 23, 2016 at 12:38:13AM +0000, Timothy Jackson wrote: > I’ve noted that many (most?) TLS implementations choose their ECDHE > curves seemingly without regard to the cipher suite strength. Thus, > they'll select an AES256 cipher suite (e.g. > TLS_ECDHE_ECDSA_WITH_AES256_SHA384), > but then generate an ECDHE key on the P256 curve. This seems odd to > me, since the P256 curve obviously has a lower security strength than > AES256. This seems important issue to resolve because most product > (and even TLS libraries) do not allow the administrator to configure > the available ECDHE curves, only the cipher suites. Thus, ECDHE may > be invisibly undermining the security of your TLS connection.
The security levels are much less obvious than they at first seem. 128 bit symmetric encryption, 128 bit elliptic curve DH and 128 bit MAC are not even _close_ to being the same security. And if you want to configure things, configuring strong enough ECDHE and strong enough ciphers should be enough... If 128-bit ECDHE is enough, 256-bit symmetric encryption will certainly be enough (can't say the same about 128-bit symmetric encryption). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
