The key exchange produces two values: a shared secret K, and an exchange hash H. Encryption and authentication keys are derived from these. The exchange hash H from the first key exchange is additionally used as the session identifier, which is a unique identifier for this connection. It is used by authentication methods as a part of the data that is signed as a proof of possession of a private key. Once computed, the session identifier is not changed, even if keys are later re-exchanged.
Cipher Name (modes) | Estimated Security Strength |
---|---|
3des (cbc) | 112 bits |
aes128 (cbc, ctr, gcm) | 128 bits |
aes192 (cbc, ctr, gcm) | 192 bits |
aes256 (cbc, ctr, gcm) | 256 bits |
Hash Name | Estimated Security Strength |
---|---|
sha1 | 80 bits (before attacks) |
sha256 | 128 bits |
sha384 | 192 bits |
sha512 | 256 bits |
Curve Name | Estimated Security Strength |
---|---|
nistp256 | 128 bits |
nistp384 | 192 bits |
nistp521 | 512 bits |
curve25519 | 128 bits |
curve448 | 224 bits |
Prime Field Size | Estimated Security Strength | Example MODP Group |
---|---|---|
2048-bit | 112 bits | group14 |
3072-bit | 128 bits | group15 |
4096-bit | 152 bits | group16 |
6144-bit | 176 bits | group17 |
8192-bit | 200 bits | group18 |
Key Exchange Method | Estimated Security Strength |
---|---|
rsa1024-sha1 | 80 bits |
rsa2048-sha256 | 112 bits |
This process will lose entropy if the amount of entropy in K is larger than the internal state size of HASH.
Key Exchange Method Name | Guidance |
---|---|
curve25519-sha256 | |
gss-curve25519-sha256-* |
Key Exchange Method Name | Guidance |
---|---|
curve448-sha512 | |
gss-curve448-sha512-* |
Key Exchange Method Name | Guidance |
---|---|
ecdh-sha2-* | |
ecdh-sha2-nistp256 | |
gss-nistp256-sha256-* | |
ecdh-sha2-nistp384 | |
gss-nistp384-sha384-* | |
ecdh-sha2-nistp521 | |
gss-nistp521-sha512-* | |
ecmqv-sha2 |
Key Exchange Method Name | Guidance |
---|---|
diffie-hellman-group-exchange-sha1 | |
diffie-hellman-group-exchange-sha256 |
Key Exchange Method Name | Guidance |
---|---|
diffie-hellman-group14-sha256 | |
gss-group14-sha256-* | |
diffie-hellman-group15-sha512 | |
gss-group15-sha512-* | |
diffie-hellman-group16-sha512 | |
gss-group16-sha512-* | |
diffie-hellman-group17-sha512 | |
gss-group17-sha512-* | |
diffie-hellman-group18-sha512 | |
gss-group18-sha512-* |
Key Exchange Method Name | Guidance |
---|---|
rsa1024-sha1 | |
rsa2048-sha256 |
Key Exchange Method Name | Reference | Previous Recommendation | RFC 9142 Implement |
---|---|---|---|
curve25519-sha256 | none | ||
curve448-sha512 | none | ||
diffie-hellman-group-exchange-sha1 | none | ||
diffie-hellman-group-exchange-sha256 | none | ||
diffie-hellman-group1-sha1 | |||
diffie-hellman-group14-sha1 | |||
diffie-hellman-group14-sha256 | none | ||
diffie-hellman-group15-sha512 | none | ||
diffie-hellman-group16-sha512 | none | ||
diffie-hellman-group17-sha512 | none | ||
diffie-hellman-group18-sha512 | none | ||
ecdh-sha2-* | |||
ecdh-sha2-nistp256 | |||
ecdh-sha2-nistp384 | |||
ecdh-sha2-nistp521 | |||
ecmqv-sha2 | |||
ext-info-c | |||
ext-info-s | |||
gss- | reserved | reserved | |
gss-curve25519-sha256-* | |||
gss-curve448-sha512-* | |||
gss-gex-sha1-* | |||
gss-group1-sha1-* | |||
gss-group14-sha1-* | |||
gss-group14-sha256-* | |||
gss-group15-sha512-* | |||
gss-group16-sha512-* | |||
gss-group17-sha512-* | |||
gss-group18-sha512-* | |||
gss-nistp256-sha256-* | |||
gss-nistp384-sha384-* | |||
gss-nistp521-sha512-* | |||
rsa1024-sha1 | |||
rsa2048-sha256 |
OK to Implement guidance entries for registrations that pre-date [RFC9142] are found in Table 12 in Section 4 of [RFC9142].