gnutls-3.0.9, PSK and SECURE256

Michael Weiser michael at
Sun Dec 18 23:04:17 CET 2011

Hi Nikos,

On Sun, Dec 18, 2011 at 07:25:08PM +0100, Nikos Mavrogiannopoulos wrote:

> > I don't want to debate the reason for removing AES128 from SECURE256.
> > Obviously the security level with SECURE128 is just as high (or low)
> > as before. Rather I wonder, why PSK isn't used in conjunction with
> > AES256?
> There is very little point to use SECURE256. This is really an insane
> security level that has to be supported by public keys of equivalent
> level (e.g. for DHE in your case) that are of a size that probably 
> would make the handshake extremely slow.

> However, for the situation you describe the issue isn't AES-256 but the 
> fact that the PSK ciphersuites (in rfc4279) are defined using SHA-1, which 
> isn't available any more in the 256-bit security level.

Will this be the case for the foreseeable future or is something
better/more secure/fancier/faster already coming?

Should I contemplate moving away from PSK in favour of public key
authentication in order to get a stronger hashing algorithm?

BTW: My program currently ends up using ECDHE_PSK_AES_128_CBC_SHA256.
Isn't SHA256 actually SHA-2, not SHA-1?

More information about the Gnutls-help mailing list