Code Review Request JDK-8148516: Improve the default strength of EC in JDK

Thu May 19 12:42:27 UTC 2016

Hi,

Please review this enhancement.  The feature complete date is coming up
next week.  I appreciate very much if I can get your feedback before
next Monday:

    http://cr.openjdk.java.net/~xuelei/8148516/webrev.00/

In this update, EC keys less than 224 bits are disabled and EC curves
weaker than 256 bits are removed from the default enabled list in JDK.
Plan backport the update to JDK 8u/7u/6u, too.

Thanks,
Xuelei

Updates:
=======
1. Restrict EC keys less than 224 bits in certification path processing
and SSL/TLS/DTLS connections.

In this update, we are proposing to restrict the use of EC keys less
than 224 bits in length.  This restriction is applied via the Java
Security properties, "jdk.certpath.disabledAlgorithms" and
"jdk.tls.disabledAlgorithms".  This will impact providers that adhere to
the Security Properties, for example, the Sun provider and the SunJSSE
provider.

With this key size restriction, those who use X.509 certificates based
on EC keys less than 224 bits will encounter compatibility issues with
certification path building and validation.   This key size restriction
also impacts JDK components that validate X.509 certificates, for
example signed JAR verification, LDAP over SSL/TLS connections, HTTPS
connections, etc.

In order to avoid the compatibility issue, users who use X.509
certificates with EC keys less than 224 bits are recommended to renew
their certificates with stronger keys.  As a workaround, at their own
risk, users can adjust the key size restriction Security Properties
("jdk.certpath.disabledAlgorithms", and "jdk.tls.disabledAlgorithms" if
using SSL/TLS/DTLS connections) to permit smaller key sizes.

2. Remove curves weaker than 256 bits from the default enabled list in JDK.

In the SSL/TLS/DTLS implementation in JDK, potentially weak curves would
be removed from the enabled curves list.  The new default enabled curves
include, in preference order:
   // recommended
   secp256r1 (23)
   secp384r1 (24)
   secp521r1 (25)

   // NIST curves
   sect283k1 (9)
   sect283r1 (10)
   sect409k1 (11)
   sect409r1 (12)
   sect571k1 (13)
   sect571r1 (14)

   // Non-FIPS curves
   secp256k1 (22)

3. Add a new System Property to customize the enabled curves.

The compatibility impact should be limited.  However, if applications
want to use curves other than the default ones, or want to use different
preference, a new System Property, "jdk.tls.namedGroups" is defined to
make the customization.

The value of the System Property defines a list of enabled named curves
in preference order, separated with comma.  For example:

   jdk.tls.namedGroups="secp521r1, secp256r1, secp384r1"

If the System Property is not defined or the value is empty, the default
curves and preferences (see #2) will be used in JDK.

Note: the default enabled curves (#2) and customized curves (#3) cannot
be used to re-activate the disabled EC keys defined by the Java Security
Properties(#1).