On Wed, Jan 8, 2014 at 8:34 PM, Peter Gutmann <[email protected]>wrote:
> "Man Ho (Certizen)" <[email protected]> writes: > > >If there is no constraints on choosing SHA-256, SHA-384 or SHA-512, why > CAs > >are so conservative and prefer SHA-256 rather than SHA-512? I think going > >directly to a higher security strength should be preferable. > > What extra security does -512 give you that -256 doesn't? I mean actual > security against real threats, rather than just "it has a bigger number so > it > must be better"? What I've heard was that the extra-sized hashes were > added > mostly for political reasons, in the same way that AES-192 and -256 were > added > for political reasons (there was a perceived need to have a "keys go to 10" > and a "keys go to 11" form for Suite B, since government users would look > over > at non-suite-B crypto with keys that went to 11 and wonder why they > couldn't > have that too). > The main advantage is more rounds to crypto. In PPE I use SHA-512 and truncate to 128 bits for Phingerprints. -- Website: http://hallambaker.com/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
