Code Review Request, 7109274, Consider disabling support for X.509 certificates with RSA keys less than 1024 bits

Xuelei Fan xuelei.fan at oracle.com
Thu Dec 13 19:48:45 PST 2012


We cannot go that far in crypto libraries because of compatibilities.
Applications need to take the responsibilities to use proper strength.
In crypto library level, we are only able to enforce very weak
algorithms and key sizes restrictions, as MD2 and RSA-512.  Otherwise,
those applications that still need to use RSA-1024, SHA1/MD5 will run
into serious compatibility issues.

Xuelei

On 12/14/2012 11:21 AM, Michael StJohns wrote:
> Does this go far enough?
> 
> If you're going with NIST recommendations, anything less that 112 bits of strength is now considered weak.  The guidance is those strengths are deprecated now, and prohibited after the end of 2013.  In addition, SHA1 is deprecated now and prohibited after 2013 for signatures (still acceptable for other things).
> 
> RSA 1024 bits is about 80 bits of security so the relative key bit lengths are DSA and RSA < 1024 and EC < 160 should probably be disabled in this pass.
> 
> After the end of next year, DSA and RSA < 2048 and EC < 224  as well as SHA1 for signatures should be disabled.
> 
> Mike
> 
> 
> At 08:12 PM 12/11/2012, Xuelei Fan wrote:
>> Hi,
>>
>> Please review the update for JDK-7109274, Consider disabling support for
>> X.509 certificates with RSA keys less than 1024 bits.
>>
>> Webrev: http://cr.openjdk.java.net./~xuelei/7109274/webrev.00/
>>
>> The bug description is not available at bugs.sun.com at present. The
>> purpose of this update is to disable the support of X.509 certificates
>> with RSA keys less than 1024 bits.
>>
>> The key length is an important security parameter to determine the
>> strength of public key based cryptographic algorithms. RSA keys less
>> than 1024 bits are considered breakable [1][2].
>>
>> In this update, we are proposing to restrict the use of certificates
>> with RSA keys less than 1024 bits in length.  This restriction is
>> applied via the Java Security property,
>> "jdk.certpath.disabledAlgorithms" [1].  This will impact providers that
>> adhere to this security property, for example, the Sun provider and the
>> SunJSSE provider.
>>
>> The security property, "jdk.certpath.disabledAlgorithms", also covers
>> the use of the static keys (the key in X.509 certificate) used in TLS.
>> Therefore, we don't need to add any further restrictions to the
>> "jdk.tls.disabledAlgorithms" security property.
>>
>> With this key size restriction, those who use X.509 certificates based
>> on RSA keys less than 1024 bits will encounter compatibility issues with
>> certification path building and validation.  This key size restriction
>> also impacts JDK components that validate X.509 certificates, for
>> example signed JAR verification, SSL/TLS transportation, HTTPS
>> connections, etc.
>>
>> In order to avoid the compatibility issue, users who use X.509
>> certificates with RSA keys less than 1024 bits are recommended to renew
>> their certificates with stronger keys.  As a workaround, at their own
>> risks, users can adjust the key size restriction security property
>> ("jdk.certpath.disabledAlgorithms") or use the
>> java.security.AlgorithmConstraints (introduced in JDK 7) to permit
>> smaller key sizes.
>>
>> Thanks,
>> Xuelei
>>
>> [1]: http://blogs.rsa.com/rsa-768-factored/
>> [2]: http://technet.microsoft.com/en-us/security/advisory/2661254
> 
> 



More information about the security-dev mailing list