The key exchange produces two values: a shared secret K, and an exchange hash H. Encryption and authentication keys are derived from these. The exchange hash H from the first key exchange is additionally used as the session identifier, which is a unique identifier for this connection. It is used by authentication methods as a part of the data that is signed as a proof of possession of a private key. Once computed, the session identifier is not changed, even if keys are later re-exchanged.
Cipher Name (modes) | Estimated Security Strength |
---|---|
3des (cbc) | 112 bits |
aes128 (cbc, ctr, gcm) | 128 bits |
aes192 (cbc, ctr, gcm) | 192 bits |
aes256 (cbc, ctr, gcm) | 256 bits |
Hash Name | Estimated Security Strength |
---|---|
sha1 | 80 bits (before attacks) |
sha256 | 128 bits |
sha384 | 192 bits |
sha512 | 256 bits |
Curve Name | Estimated Security Strength |
---|---|
nistp256 | 128 bits |
nistp384 | 192 bits |
nistp521 | 512 bits |
curve25519 | 128 bits |
curve448 | 224 bits |
Prime Field Size | Estimated Security Strength | Example MODP Group |
---|---|---|
2048-bit | 112 bits | group14 |
3072-bit | 128 bits | group15 |
4096-bit | 152 bits | group16 |
6144-bit | 176 bits | group17 |
8192-bit | 200 bits | group18 |
Key Exchange Method | Estimated Security Strength |
---|---|
rsa1024-sha1 | 80 bits |
rsa2048-sha256 | 112 bits |
This process will lose entropy if the amount of entropy in K is larger than the internal state size of HASH.
Key Exchange Method Name | Guidance |
---|---|
curve25519-sha256 |
|
gss-curve25519-sha256-* |
|
Key Exchange Method Name | Guidance |
---|---|
curve448-sha512 |
|
gss-curve448-sha512-* |
|
Key Exchange Method Name | Guidance |
---|---|
ecdh-sha2-* |
|
ecdh-sha2-nistp256 |
|
gss-nistp256-sha256-* |
|
ecdh-sha2-nistp384 |
|
gss-nistp384-sha384-* |
|
ecdh-sha2-nistp521 |
|
gss-nistp521-sha512-* |
|
ecmqv-sha2 |
|
Key Exchange Method Name | Guidance |
---|---|
diffie-hellman-group-exchange-sha1 |
|
diffie-hellman-group-exchange-sha256 |
|
Key Exchange Method Name | Guidance |
---|---|
diffie-hellman-group14-sha256 |
|
gss-group14-sha256-* |
|
diffie-hellman-group15-sha512 |
|
gss-group15-sha512-* |
|
diffie-hellman-group16-sha512 |
|
gss-group16-sha512-* |
|
diffie-hellman-group17-sha512 |
|
gss-group17-sha512-* |
|
diffie-hellman-group18-sha512 |
|
gss-group18-sha512-* |
|
Key Exchange Method Name | Guidance |
---|---|
rsa1024-sha1 |
|
rsa2048-sha256 |
|
Key Exchange Method Name | Reference | Previous Recommendation | RFC 9142 Implement |
---|---|---|---|
curve25519-sha256 |
|
none |
|
curve448-sha512 |
|
none |
|
diffie-hellman-group-exchange-sha1 |
|
none |
|
diffie-hellman-group-exchange-sha256 |
|
none |
|
diffie-hellman-group1-sha1 |
|
|
|
diffie-hellman-group14-sha1 |
|
|
|
diffie-hellman-group14-sha256 |
|
none |
|
diffie-hellman-group15-sha512 |
|
none |
|
diffie-hellman-group16-sha512 |
|
none |
|
diffie-hellman-group17-sha512 |
|
none |
|
diffie-hellman-group18-sha512 |
|
none |
|
ecdh-sha2-* |
|
|
|
ecdh-sha2-nistp256 |
|
|
|
ecdh-sha2-nistp384 |
|
|
|
ecdh-sha2-nistp521 |
|
|
|
ecmqv-sha2 |
|
|
|
ext-info-c |
|
|
|
ext-info-s |
|
|
|
gss- |
|
reserved | reserved |
gss-curve25519-sha256-* |
|
|
|
gss-curve448-sha512-* |
|
|
|
gss-gex-sha1-* |
|
|
|
gss-group1-sha1-* |
|
|
|
gss-group14-sha1-* |
|
|
|
gss-group14-sha256-* |
|
|
|
gss-group15-sha512-* |
|
|
|
gss-group16-sha512-* |
|
|
|
gss-group17-sha512-* |
|
|
|
gss-group18-sha512-* |
|
|
|
gss-nistp256-sha256-* |
|
|
|
gss-nistp384-sha384-* |
|
|
|
gss-nistp521-sha512-* |
|
|
|
rsa1024-sha1 |
|
|
|
rsa2048-sha256 |
|
|
|
OK to Implement guidance entries for registrations that pre-date [RFC9142] are found in Table 12 in Section 4 of [RFC9142].