Hi Marco, actually X25519 DH group 31 has a security strength of 128 bits, similar to ECP-256, although the Curve25519 characteristics are much better than those of the ECP-256 NIST curve.
The "Goldilocks" X448 (DH group 32) has a security strength of 224 bits which is half-way between 192 bits and 256 bits. strongSwan doesn't support X448 yet. Best regards Andreas On 20.07.2018 14:43, Marco Berizzi wrote: > Hi Tobias, > > I think this is an underestimated point. Deserves more attention. > >> The cryptographic strength of all ciphers in a cipher suite should be >> consistent. For instance, using AES-256 for ESP is basically wasted >> when using MODP-2048 because that has only an estimated strength of 112 >> bits (same for ECP-256 whose estimated strength is 128 bits). > > Adding your above remark to [3] would be extremely useful. > > According to this paper [1] MODP-1536 is broken (< 112 bits of security > strength), and according to this nist publication [2], the only way to > be consistent with AES-256 is ECP-521 (diffie hellmann group 21) or x25519 > (diffie hellmann group 31). > > The MODP-3072 or ECP-256 is the minimum for being consistent with AES-128. > > So a simple consistent table could be: > > AES-128 ==>> MODP-3072 or ECP-256 > AES-192 ==>> MODP-8192 or ECP-384 > AES-256 ==>> ECP521 or x25519 > > [1] > https://csrc.nist.gov/csrc/media/publications/sp/800-131a/rev-1/final/documents/sp800-131a_r1_draft.pdf > [2] > https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-57pt1r4.pdf > [3] > https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature