Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8219545

Update the default enabled cipher suites preference

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 13
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      The impact should be minimal as only the default enabled cipher suites preference order is changed. Preference of DHE_RSA over RSA could increase group/size related interoperability problems. However it is expected that this is mitigated by the additional DHE parameters (FFDHE) in group announcement and also the fact that existing implementations have been confronted with bigger DHE keys for some time now. Besides many existing servers prefer ECDHE or would have picked DHE over RSA anyway.
      Show
      The impact should be minimal as only the default enabled cipher suites preference order is changed. Preference of DHE_RSA over RSA could increase group/size related interoperability problems. However it is expected that this is mitigated by the additional DHE parameters (FFDHE) in group announcement and also the fact that existing implementations have been confronted with bigger DHE keys for some time now. Besides many existing servers prefer ECDHE or would have picked DHE over RSA anyway.
    • Interface Kind:
      Other
    • Scope:
      JDK

      Description

      Summary

      Propose to update the default enabled cipher suites preference in the SunJSSE provider.

      Problem

      Forward secrecy is a feature of specific key agreement protocols that gives assurances your session keys will not be compromised even if the private key of the server is compromised. Forward secrecy protects past sessions against future compromises of secret keys or passwords.

      In the current SunJSSE provider, the forward secrecy feature was considered, but with a lower priority. For example, JDK prefers the better performance of key exchange and digital signature algorithm, in the order of

      ECDHE-ECDSA, ECDHE-RSA, RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS.

      While if forward secrecy is preferable first, the order should be

      ECDHE-ECDSA, ECDHE-RSA, DHE-RSA, DHE-DSS, ECDH-ECDSA, ECDH-RSA, RSA.

      Meanwhile, the RSA key exchange algorithms and SHA-1 based HMAC algorithms have been deprecated in TLS 1.3. Even for TLS 1.2 and prior versions, the priority of them should be decreased for safety as well.

      Solution

      By updating the preference order of the default enabled cipher suites, change to prefer forward secrecy in the SunJSSE provider.

      The following factors are considered:

      1. Increase the priority of forward secrecy cipher suites.
      2. Increase the priority of GCM mode cipher suites.
      3. Increase the priority of ECDHE cipher suites.
      4. Decrease the priority of cipher suites that use SHA-1 hash algorithm.
      5. Decrease the priority of RSA key exchange based cipher suites.

      Specification

      With this update, the order of cipher suites preference in the SunJSSE provider is changed as:

      • Forward secrecy cipher suites.
        • TLS 1.3 cipher suites.
          • TLS_AES_256_GCM_SHA384
          • TLS_AES_128_GCM_SHA256
          • TLS_CHACHA20_POLY1305_SHA256
        • Suite B compliant cipher suites
          • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        • Not Suite B, but we want it to position the suite early in the list of 1.2 suites.
          • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        • AES_256(GCM) - ECDHE - forward secrecy cipher suites.
          • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
        • AES_128(GCM) - ECDHE - orward secrecy cipher suites.
          • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        • AES_256(GCM) - DHE - forward secrecy cipher suites.
          • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
          • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
          • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
        • AES_128(GCM) - DHE - orward secrecy cipher suites.
          • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
          • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
        • AES_256(CBC) - ECDHE - forward secrecy cipher suites.
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
        • AES_128(CBC) - ECDHE - forward secrecy cipher suites.
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        • AES_256(CBC) - DHE - forward secrecy cipher suites.
          • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
          • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
        • AES_128(CBC) - DHE - forward secrecy cipher suites.
          • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
          • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
      • not forward secrecy cipher suites.
        • AES_256(GCM) - not forward secrecy cipher suites.
          • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
          • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
        • AES_128(GCM) - not forward secrecy cipher suites.
          • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
          • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
        • AES_256(CBC) - not forward secrecy cipher suites.
          • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
          • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
        • AES_128(CBC) - not forward secrecy cipher suites.
          • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
          • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
      • Cipher suites that use SHA-1, used for compatibility
        • AES_256(CBC) - ECDHE - forward secrecy, using SHA-1
          • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
        • AES_128(CBC) - ECDHE - forward secrecy, using SHA-1
          • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
        • AES_256(CBC) - DHE - forward secrecy, using SHA-1
          • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
          • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
        • AES_128(CBC) - DHE - forward secrecy, using SHA-1
          • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
          • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
        • AES_256(CBC) - not forward secrecy, using SHA-1
          • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
          • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
        • AES_128(CBC) - not forward secrecy, using SHA-1
          • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
          • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
      • deprecated, used for compatibility only
        • RSA - not forward secrecy
          • TLS_RSA_WITH_AES_256_GCM_SHA384
          • TLS_RSA_WITH_AES_128_GCM_SHA256
          • TLS_RSA_WITH_AES_256_CBC_SHA256
          • TLS_RSA_WITH_AES_128_CBC_SHA256
          • TLS_RSA_WITH_AES_256_CBC_SHA
          • TLS_RSA_WITH_AES_128_CBC_SHA
        • 3DES - deprecated
          • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
          • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
          • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
          • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
          • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
          • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
          • SSL_RSA_WITH_3DES_EDE_CBC_SHA

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                xuelei Xue-Lei Fan
                Reporter:
                xuelei Xue-Lei Fan
                Reviewed By:
                Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: