Johannes Merkle <[email protected]> writes: > 256 bit output length is enough to prevent > birthday-paradox/digest-guessing attacks (which require n^(1/2) > outputs), thus I prefer HMAC256SHA512 over HMAC384SHA512. For SHA-256 > the situation is different, as collecting 2^64 outputs is not so > completely unthinkable (albeit still not practical). > > Thus, I suggest defining usmHMAC192SHA256AuthProtocol as MUST, and > usmHMAC256SHA512AuthProtocol as SHOULD.
I'm not entirely convinced that a 256bit truncation is better than a 384 bit truncation, so my preference would be to include just two (not 6) algorithms because I don't think they're all needed and will just make things more confusing. So I'd pick the best two of the 6 and go with them, for which my preference would be: 1) MUST: usmHMAC192SHA256AuthProtocol SHOULD: usmHMAC384SHA512AuthProtocol 2) MUST: usmHMAC192SHA256AuthProtocol SHOULD: usmHMAC256SHA512AuthProtocol -- Wes Hardaker Parsons _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
