Paul Wouters writes: > > IKEv2 (RFC-7296) states: > > Nonces used in IKEv2 MUST be randomly chosen, MUST be at least 128 bits > in size, and MUST be at least half the key size of the negotiated > pseudorandom function (PRF). > > For SHA2 versions of PRF, we need to look at RFC-4868: > > http://tools.ietf.org/html/rfc4868#section-2.4 > > The PRF-HMAC-SHA-256 algorithm is identical to HMAC-SHA-256-128, > except that variable-length keys are permitted, and the truncation > step is NOT performed. Likewise, the implementations of PRF-HMAC- > SHA-384 and PRF-HMAC-SHA-512 are identical to those of HMAC-SHA-384- > 192 and HMAC-SHA-512-256 respectively, except that again, variable- > length keys are permitted, and truncation is NOT performed. > > > So when using SHA2, what should the minimum nonce size be?
128, 192 and 256 bits, depending on the SHA2 variant. As those are used as PRF, that means that the RFC 4868 says that "key lengths are variable", but RFC 7296 says: "For PRFs based on the HMAC construction, the preferred key size is equal to the length of the output of the underlying hash function." The key lengths for the hashes are then output lengths of the hashes, i.e. 256, 384 and 256 bits, and as Nonce needs to be at least half of they key size of the negotiated PRF, that means the minimum sizes are 128, 192 and 256 bits. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
