"People are doing it anyway" is a really terrible reason for IETF to
publish an RFC.

And yes, I know people did RSA-512 for a long time. And it led to FREAK.
That should be a cautionary tale about why we should prefer layered/hybrid
solutions, not an example of "well it worked okay for 10 years so that's
fine".

-Brian

On Fri, Jul 3, 2026, 8:56 PM Peter Gutmann <[email protected]>
wrote:

> Brian Resnik <[email protected]> writes:
>
> >SHA-256 Truncated to 32 bits (SHA-256/32)
> >
> >This RFC has value because ultra-low-bandwidth mesh networks cannot
> afford a
> >32-byte overhead per packet for a full SHA-256 hash.
>
> I know you're joking with this but I've worked with devices that truncate
> their MAC to 16 bits for power-utilisation reasons and it's perfectly
> secure
> the way they're using it.
>
> Having said that, the organisation using this mechanism is also big enough
> that they don't need an RFC to tell them which end to truncate from.
>
> >AES in Electronic Codebook (AES-ECB) Mode
>
> Also fine when you're encrypting <= 128 bits in a system with just enough
> space for a 128-bit block.
>
> >RSA with 512-bit Keys (RSA-512)
>
> A large percentage of the DKIM-using world did this for something like a
> decade without anyone ever attacking it, even when the keys were as short
> as
> 384 bits.  So this is also fine in systems that no-one cares about.
>
> This has probably turned into an argument in favour of pure ML-KEM,
> although
> it wasn't meant to be that.
>
> Peter.
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to