Code review request, JDK-6956398, make ephemeral DH key match the length of the certificate key

Xuelei Fan xuelei.fan at oracle.com
Sun Sep 22 03:15:58 UTC 2013 

Hi Weijun,

Are you available to review this update?

webrev: http://cr.openjdk.java.net/~xuelei/6956398/webrev.00/

This is an enhancement to support stronger ephemeral DH keys during TLS
handshaking.  A new system property is defined
"jdk.tls.ephemeralDHKeySize".  By default, the value of this system
property is not defined.  This system property won't impact DH key size
in ServerKeyExchange message of exportable cipher suites.

If this system property is defined as "legacy", no actually behavior
change within this update.

If this system property is defined as "smart", for non-exportable
anonymous cipher suites, the DH key size in ServerKeyExchange message is
updated from 768 bits to 1024 bits; and for X.509 certificate based
authentication (of non-exportable cipher suites), the DH key size
matching the corresponding authentication key is used except that the
size should be between 1024 bits and 2048 bits.  For example, if the
public key size of an authentication certificate is 2048 bits, then the
ephemeral DH key size should be 2048 bits accordingly unless the cipher
suite is exportable.

If this system property is defined as a valid integer between 1024 and
2048 inclusive, a fixed ephemeral DH key size as the specified integer
value will be used for non-exportable cipher suites.

If this system property is not defined, or the value is other than
"legacy", "smart" and a valid integer, 1024 bits DH key is always used
for non-exportable cipher suites.

Note that with this fix, the biggest acceptable key size is 2048 bits
because DH keys bigger than 2048 bits may be not supported by underlying
JCE providers (for example, SunJCE provider).

We may update the default ephemeral DH key size (which is 1024 bits with
this fix) again in the future if the industry needs to use stronger
strength.

This update only impact DHE_RSA, DHE_DSS and DH_anon based cipher suites
in Oracle provider.

Here is a recap of the behaviors:

jdk.tls.ephemeralDHKeySize | legacy | smart |  integer | other
                           |        |       |  (fixed) |
---------------------------+--------+-------+----------+------
exportable DH key size     |  512   |  512  |      512 |   512
---------------------------+--------+-------+----------+------
anonymous                  |  768   | 1024  | fixed[+] |  1024
---------------------------+--------+-------+----------+------
authentication cert        |  768   |  [*]  | fixed[+] |  1024


[*]: the key size the same as the authentication certificate, but should
be between 1024-bits and 2048-bits, inclusive.
[+]: the fixed key size is specified by a valid integer property value,
which should be between 1024-bits and 2048-bits, inclusive.


Thanks,
Xuelei

More information about the security-dev mailing list