> This is the working group last call for the "ECDHE_PSK with AES-GCM and > AES-CCM CSs for TLS” draft
I am curious about the choice of hash function for TLS_ECDHE_PSK_WITH_AES_256_CCM_8_SHA256. All of the other AES-256 ciphersuites defined in this document that use SHA-384. Why does the one with a truncated authentication tag use SHA-256? The Security Consideration includes: Use of Pre-Shared Keys of limited entropy (for example, a PSK that is relatively short, or was chosen by a human and thus may contain less entropy than its length would imply) may allow an active attacker to perform a brute-force attack where the attacker attempts to connect to the server and tries different keys. Given the mention of passwords, it seems that dictionary attacks should also be mentioned. Russ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
