Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8256335

Restrict TLS signature schemes and named groups

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 13-pool
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Support signature schemes and named groups restriction in the TLS implementation. No changes from JDK 14, CSR JDK-8227445

      Problem

      Signature schemes and named groups are essential security parameters of TLS connections. Some of them are weak, and some of them are too new to be supported in some circumstances. Applications may want to restrict them.

      Note that the JCE signature algorithms can currently be restricted, but it is at a lower layer and are not always sufficient to restrict specific TLS signature schemes which use a different namespace.

      In the future, the implementation may be requested to backport to previous JDK releases, for example JDK 11 or JDK 8.

      Solution

      Support signature schemes and named groups restriction in the TLS implementation with algorithm constraints. Algorithm constraints can be configured with the SSLParameters.setAlgorithmConstraints(AlgorithmConstraints) method or the security property "jdk.tls.disabledAlgorithms".

      In the TLS specification, signature schemes are used to customize signature algorithms of TLS connections as defined in https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme. With this update, signature schemes can be restricted in the TLS implementation in the JDK. The following is a list of JDK supported signature schemes:

      • EdDSA algorithms
        • ed25519
        • ed448
      • ECDSA algorithms
        • ecdsa_secp256r1_sha256
        • ecdsa_secp384r1_sha384
        • ecdsa_secp521r1_sha512
      • RSASSA-PSS algorithms with public key OID rsaEncryption
        • rsa_pss_rsae_sha256
        • rsa_pss_rsae_sha384
        • rsa_pss_rsae_sha512
      • RSASSA-PSS algorithms with public key OID RSASSA-PSS
        • rsa_pss_pss_sha256
        • rsa_pss_pss_sha384
        • rsa_pss_pss_sha512
      • RSASSA-PKCS1-v1_5 algorithms
        • rsa_pkcs1_sha256
        • rsa_pkcs1_sha384
        • rsa_pkcs1_sha512

      For TLS 1.2 and previous versions, signature schemes are defined as a pair of signature algorithms ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16) and hash algorithms ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18). In the JDK implementation, the signature schemes are named as "signatureAlgorithm-hashAlgorithm". For example, "ecdsa_sha224" means the signature algorithm is ECDSA and the hash algorithm is SHA224. TLS 1.3 protocol does not use this naming convention any more. With this update, signature schemes can be restricted in the TLS implementation in the JDK. The following is a list of JDK supported signature schemes, which are being deprecated per TLS 1.3 protocol:

      • Legacy signature schemes for TLS 1.2 and previous versions
        • dsa_sha256
        • ecdsa_sha224
        • rsa_sha224
        • dsa_sha224
        • ecdsa_sha1
        • rsa_pkcs1_sha1
        • dsa_sha1
        • rsa_md5

      In the TLS specification, named groups are used to customize key exchange algorithms of TLS connections as defined in https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8. With this update, named groups can be restricted in the TLS implementation in the JDK. The following is a list of JDK supported named groups:

      • NIST defined Elliptic curves (RFC 4492)
        • sect163k1
        • sect163r1
        • sect163r2
        • sect193r1
        • sect193r2
        • sect233k1
        • sect233r1
        • sect239k1
        • sect283k1
        • sect283r1
        • sect409k1
        • sect409r1
        • sect571k1
        • sect571r1
        • secp160k1
        • secp160r1
        • secp160r2
        • secp192k1
        • secp192r1
        • secp224k1
        • secp224r1
        • secp256k1
        • secp256r1
        • secp384r1
        • secp521r1
      • x25519 and x448 (RFC 8422/8446)
        • x25519
        • x448
      • Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
        • ffdhe2048
        • ffdhe3072
        • ffdhe4096
        • ffdhe6144
        • ffdhe8192

      Note that the signature schemes and group names are not standardized yet. A subsequent CSR will be filed for the standardization (See JDK-8210755).

      Specification

      Update the Security Property "jdk.tls.disabledAlgorithms" specification by adding signature schemes and named groups restrictions.

        #
        # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
        # (SSL/TLS/DTLS) processing
        #
        # In some environments, certain algorithms or key lengths may be undesirable
        # when using SSL/TLS/DTLS.  This section describes the mechanism for disabling
        # algorithms during SSL/TLS/DTLS security parameters negotiation, including
      - # protocol version negotiation, cipher suites selection, peer authentication
      - # and key exchange mechanisms.
      + # protocol version negotiation, cipher suites selection, named groups
      + # selection, signature schemes selection, peer authentication and key
      + # exchange mechanisms.
        #
        # Disabled algorithms will not be negotiated for SSL/TLS connections, even
        # if they are enabled explicitly in an application.
        #
        # For PKI-based peer authentication and key exchange mechanisms, this list
        # of disabled algorithms will also be checked during certification path
        # building and validation, including algorithms used in certificates, as
        # well as revocation information such as CRLs and signed OCSP Responses.
        # This is in addition to the jdk.certpath.disabledAlgorithms property above.
        #
        # See the specification of "jdk.certpath.disabledAlgorithms" for the
        # syntax of the disabled algorithm string.
        #
        # Note: The algorithm restrictions do not apply to trust anchors or
        # self-signed certificates.
        #
        # Note: This property is currently used by the JDK Reference implementation.
        # It is not guaranteed to be examined and used by other implementations.
        #
        # Example:
      - #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
      + #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
      + #       rsa_pkcs1_sha256, secp224r1
        jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
           EC keySize < 224, 3DES_EDE_CBC, anon, NULL

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              abakhtin Alexey Bakhtin
              Reporter:
              webbuggrp Webbug Group
              Reviewed By:
              Joe Darcy
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: