Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8228481

Upgrade the default PKCS12 encryption/MAC algorithms

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      medium
    • Compatibility Risk Description:
      Hide
      These are 2 kinds of compatibility impacts:

      1. Newly generated pkcs12 files will not be recognized by older versions of JDK. JDK 8u has a problem recognizing PBES2 parameters (JDK-8202837, JDK-8214513), and JDK 11u does not recognize HmacPBESHA256 (JDK-8076190).

      Even if the new keystore using stronger algorithm is recognized by an older version of JDK, when such a keystore is loaded and then stored by an old version of keytool, it will use weaker algorithms in certificate protection and integrity protection (MacData).

      2. Newly generated pkcs12 files might not be recognized by browsers and key/certificate managers on various systems. Only openssl and Windows Server 2019 supports these algorithms. They are not recognized by Windows Server 2016, macOS 10.15, and the latest Firefox. On the other hand, openssl 3.0.0 (the next release) will only accept PBES2 pkcs12 files and reject the original algorithms (unless -legacy is added on the command line).

      Since this is a crypto roadmap enhancement, we are going to backport this fix and JDK-8076190 to make sure #1 above do not happen after every release is updated to the latest baseline.

      As for #2, a keytool command can be used to downgrade a pkcs12 file to use weaker algorithms. ("keytool -J-Dkeystore.pkcs12.legacy -importkeystore").

      However, while other tools use pkcs12 as an exchange format, Java uses it as the primary keystore format. It makes sense to be more strict for Java when choosing default protection algorithms.

      One alternative is to only enhance the algorithm for key protection and leave the other 2 algorithms unchanged. This style will be recognized by Firefox but not macOS. However, openssl 3.0.0 will not accept it unless -legacy is provided.
      Show
      These are 2 kinds of compatibility impacts: 1. Newly generated pkcs12 files will not be recognized by older versions of JDK. JDK 8u has a problem recognizing PBES2 parameters ( JDK-8202837 , JDK-8214513 ), and JDK 11u does not recognize HmacPBESHA256 ( JDK-8076190 ). Even if the new keystore using stronger algorithm is recognized by an older version of JDK, when such a keystore is loaded and then stored by an old version of keytool, it will use weaker algorithms in certificate protection and integrity protection (MacData). 2. Newly generated pkcs12 files might not be recognized by browsers and key/certificate managers on various systems. Only openssl and Windows Server 2019 supports these algorithms. They are not recognized by Windows Server 2016, macOS 10.15, and the latest Firefox. On the other hand, openssl 3.0.0 (the next release) will only accept PBES2 pkcs12 files and reject the original algorithms (unless -legacy is added on the command line). Since this is a crypto roadmap enhancement, we are going to backport this fix and JDK-8076190 to make sure #1 above do not happen after every release is updated to the latest baseline. As for #2, a keytool command can be used to downgrade a pkcs12 file to use weaker algorithms. ("keytool -J-Dkeystore.pkcs12.legacy -importkeystore"). However, while other tools use pkcs12 as an exchange format, Java uses it as the primary keystore format. It makes sense to be more strict for Java when choosing default protection algorithms. One alternative is to only enhance the algorithm for key protection and leave the other 2 algorithms unchanged. This style will be recognized by Firefox but not macOS. However, openssl 3.0.0 will not accept it unless -legacy is provided.
    • Interface Kind:
      System or security property, File or wire format
    • Scope:
      JDK

      Description

      Summary

      Upgrade the default algorithms used in PKCS 12 to use new PBES2 based encryption and stronger algorithms like AES and SHA-2.

      Problem

      PKCS12 is the default keystore format since JDK 9, but we have been using weak algorithms which was the standard of 1990s. The algorithms are becoming a security issue now especially for the key protection algorithms which is used to protect private keys.

      Many OSes and browsers have since adopted stronger algorithms but the level of support is not consistent among them. The strong key algorithm is now supported by all major OSes and browsers, but algorithms for certificate protection and integrity protection are not.

      The latest Windows Server 2019 (and Windows 10) now provides two options when exporting private keys into a pkcs12 file: "legacy" and "stronger".

      The latest OpenSSL 3.0.0 will only accept new algorithms based on PBES2 unless the -legacy option is specified.

      Solution

      Upgrade the algorithms used in certificate encryption, key encryption, and integrity protection to the values as described in the specification below. These algorithms are the same as the stronger algorithms used in Windows Server 2019 and openssl 3.0.0. Please note we've lowered the iteration counts to 10000. This is the recommended iteration count as described in NIST Special Publication 800-63B “5.1.1.2 Memorized Secret Verifiers”. The default iteration counts are 2000 for Windows Server 2019 and 2048 for openssl 3.0.0.

      We will also define a new system property named "keystore.pkcs12.legacy". When set, will override the settings above to use the older algorithms and iteration counts.

      Specification

      First, make the following change in java.security.

      diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
      index b84a9d3e0cc..ddc4b87d6ee 100644
      --- a/src/java.base/share/conf/security/java.security
      +++ b/src/java.base/share/conf/security/java.security
      @@ -1144,33 +1144,33 @@ jceks.key.serialFilter = java.base/java.lang.Enum;java.base/java.security.KeyRep
       # The algorithm used to encrypt a certificate. This can be any non-Hmac PBE
       # algorithm defined in the Cipher section of the Java Security Standard
       # Algorithm Names Specification. When set to "NONE", the certificate
      -# is not encrypted. The default value is "PBEWithSHA1AndRC2_40".
      -#keystore.pkcs12.certProtectionAlgorithm = PBEWithSHA1AndRC2_40
      +# is not encrypted. The default value is "PBEWithHmacSHA256AndAES_256".
      +#keystore.pkcs12.certProtectionAlgorithm = PBEWithHmacSHA256AndAES_256
      
       # The iteration count used by the PBE algorithm when encrypting a certificate.
      -# This value must be a positive integer. The default value is 50000.
      -#keystore.pkcs12.certPbeIterationCount = 50000
      +# This value must be a positive integer. The default value is 10000.
      +#keystore.pkcs12.certPbeIterationCount = 10000
      
       # The algorithm used to encrypt a private key or secret key. This can be
       # any non-Hmac PBE algorithm defined in the Cipher section of the Java
       # Security Standard Algorithm Names Specification. The value must not be "NONE".
      -# The default value is "PBEWithSHA1AndDESede".
      -#keystore.pkcs12.keyProtectionAlgorithm = PBEWithSHA1AndDESede
      +# The default value is "PBEWithHmacSHA256AndAES_256".
      +#keystore.pkcs12.keyProtectionAlgorithm = PBEWithHmacSHA256AndAES_256
      
       # The iteration count used by the PBE algorithm when encrypting a private key
       # or a secret key. This value must be a positive integer. The default value
      -# is 50000.
      -#keystore.pkcs12.keyPbeIterationCount = 50000
      +# is 10000.
      +#keystore.pkcs12.keyPbeIterationCount = 10000
      
       # The algorithm used to calculate the optional MacData at the end of a PKCS12
       # file. This can be any HmacPBE algorithm defined in the Mac section of the
       # Java Security Standard Algorithm Names Specification. When set to "NONE",
      -# no Mac is generated. The default value is "HmacPBESHA1".
      -#keystore.pkcs12.macAlgorithm = HmacPBESHA1
      +# no Mac is generated. The default value is "HmacPBESHA256".
      +#keystore.pkcs12.macAlgorithm = HmacPBESHA256
      
       # The iteration count used by the MacData algorithm. This value must be a
      -# positive integer. The default value is 100000.
      -#keystore.pkcs12.macIterationCount = 100000
      +# positive integer. The default value is 10000.
      +#keystore.pkcs12.macIterationCount = 10000
      
       #
       # Enhanced exception message information

      Second, define a new system property named keystore.pkcs12.legacy that will automatically override the system/security properties above to use the older algorithms and iteration counts. This system property is equivalent to

      -Dkeystore.pkcs12.certProtectionAlgorithm=PBEWithSHA1AndRC2_40
      -Dkeystore.pkcs12.keyProtectionAlgorithm=PBEWithSHA1AndDESede
      -Dkeystore.pkcs12.macAlgorithm=HmacPBESHA1
      -Dkeystore.pkcs12.certPbeIterationCount=50000
      -Dkeystore.pkcs12.keyPbeIterationCount=50000
      -Dkeystore.pkcs12.macIterationCount=100000

      There is no value defined for this property. When this system property is set, all other system/security properties defined in this CSR are ignored.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              vinnie Vincent Ryan
              Reviewed By:
              Haimay Chao, Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: