Re: SHA-2 based HMAC algorithm...

["denis bider \(Bitvise\)" <ietf-ssh2%denisbider.com@localhost>]

> My gut-feeling is that the suggested keysize (64 bytes,
> 512 bits) for hmac-sha2-512 is ridiculously large for a
> symmetric cryptographic construction. 20 bytes (160 bits)
> seem sufficient, and 32 bytes (256 bits) is overkill for
> the foreseeable future.

That could likely be the case.

On the other hand, if someone is going to chose HMAC-SHA2-512, they are 
likely chosing it for the bigger numbers over HMAC-SHA2-256.

I think HMAC-SHA2-512 is likely an overkill. 64 bytes for integrity 
verification, appended to every message, is a lot. At the moment, I 
won't be implementing support for this algorithm because it just seems 
like it has little benefit over HMAC-SHA2-256.

If others don't plan to support SHA2-512 either, we can consider simply 
removing it.

But if people intend to support HMAC-SHA2-512, then they want it for the 
bigger numbers. And in that case, why not give them a big key size, too?

I'm not seeing how the larger key size hurts. According to my 
measurement at least, the performance impact of encryption and MAC is 
negligible compared to other aspects of an SSH session. It seems to me 
that the mammoth size of the digest itself would matter more than the 
key size, if you're going for SHA2-512 to begin with.

denis