Code Review Request JDK-8148516: Improve the default strength of EC in JDK

Xuelei Fan xuelei.fan at oracle.com
Wed May 25 09:00:11 UTC 2016 

Ping ...

On 5/19/2016 8:42 PM, Xuelei Fan wrote:
> Hi,
> 
> Please review this enhancement.  The feature complete date is coming up
> next week.  I appreciate very much if I can get your feedback before
> next Monday:
> 
>     http://cr.openjdk.java.net/~xuelei/8148516/webrev.00/
> 
> In this update, EC keys less than 224 bits are disabled and EC curves
> weaker than 256 bits are removed from the default enabled list in JDK.
> Plan backport the update to JDK 8u/7u/6u, too.
> 
> Thanks,
> Xuelei
> 
> Updates:
> =======
> 1. Restrict EC keys less than 224 bits in certification path processing
> and SSL/TLS/DTLS connections.
> 
> In this update, we are proposing to restrict the use of EC keys less
> than 224 bits in length.  This restriction is applied via the Java
> Security properties, "jdk.certpath.disabledAlgorithms" and
> "jdk.tls.disabledAlgorithms".  This will impact providers that adhere to
> the Security Properties, for example, the Sun provider and the SunJSSE
> provider.
> 
> With this key size restriction, those who use X.509 certificates based
> on EC keys less than 224 bits will encounter compatibility issues with
> certification path building and validation.   This key size restriction
> also impacts JDK components that validate X.509 certificates, for
> example signed JAR verification, LDAP over SSL/TLS connections, HTTPS
> connections, etc.
> 
> In order to avoid the compatibility issue, users who use X.509
> certificates with EC keys less than 224 bits are recommended to renew
> their certificates with stronger keys.  As a workaround, at their own
> risk, users can adjust the key size restriction Security Properties
> ("jdk.certpath.disabledAlgorithms", and "jdk.tls.disabledAlgorithms" if
> using SSL/TLS/DTLS connections) to permit smaller key sizes.
> 
> 2. Remove curves weaker than 256 bits from the default enabled list in JDK.
> 
> In the SSL/TLS/DTLS implementation in JDK, potentially weak curves would
> be removed from the enabled curves list.  The new default enabled curves
> include, in preference order:
>    // recommended
>    secp256r1 (23)
>    secp384r1 (24)
>    secp521r1 (25)
> 
>    // NIST curves
>    sect283k1 (9)
>    sect283r1 (10)
>    sect409k1 (11)
>    sect409r1 (12)
>    sect571k1 (13)
>    sect571r1 (14)
> 
>    // Non-FIPS curves
>    secp256k1 (22)
> 
> 3. Add a new System Property to customize the enabled curves.
> 
> The compatibility impact should be limited.  However, if applications
> want to use curves other than the default ones, or want to use different
> preference, a new System Property, "jdk.tls.namedGroups" is defined to
> make the customization.
> 
> The value of the System Property defines a list of enabled named curves
> in preference order, separated with comma.  For example:
> 
>    jdk.tls.namedGroups="secp521r1, secp256r1, secp384r1"
> 
> 
> If the System Property is not defined or the value is empty, the default
> curves and preferences (see #2) will be used in JDK.
> 
> Note: the default enabled curves (#2) and customized curves (#3) cannot
> be used to re-activate the disabled EC keys defined by the Java Security
> Properties(#1).
>

More information about the security-dev mailing list