"Man Ho (Certizen)" <[email protected]> writes: >If there is no constraints on choosing SHA-256, SHA-384 or SHA-512, why CAs >are so conservative and prefer SHA-256 rather than SHA-512? I think going >directly to a higher security strength should be preferable.
What extra security does -512 give you that -256 doesn't? I mean actual security against real threats, rather than just "it has a bigger number so it must be better"? What I've heard was that the extra-sized hashes were added mostly for political reasons, in the same way that AES-192 and -256 were added for political reasons (there was a perceived need to have a "keys go to 10" and a "keys go to 11" form for Suite B, since government users would look over at non-suite-B crypto with keys that went to 11 and wonder why they couldn't have that too). Given that there's no effective security difference, you need to look at other issues. SHA-512 certainly leads to a loss in performance when used as a MAC and you have to attach 64 bytes of MAC to a ten-byte payload. In addition the need to have 64-bit op support makes SHA-512 suck on 32-bit systems, which is most of the embedded world. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
