Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8277540

ChaCha20 and Poly1305 TLS Cipher Suites

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Interface Kind:
      Other
    • Scope:
      JDK

      Description

      Summary

      Add ChaCha20-Poly1305 cipher suites to JSSE. This will include cipher suites specific to TLS 1.2 and TLS 1.3. The CSR is the same as the JDK12 CSR (JDK-8204192), except for the following changes:

      • The Java Security Standard Algorithm Names specification is not being updated with the new cipher suites. This is acceptable, as implementations are allowed to support algorithms not defined in the Standard Names specification.

      • The JDK Providers document (and not the JSSE Reference Guide) is updated with the new cipher suite names. Note that this guide is not a specification.

      Problem

      Prior to the introduction of ChaCha20-Poly1305 suites, there were no stream-cipher based suites for TLS that were considered secure given modern computing capabilities. The ChaCha20-Poly1305 cipher suites use efficient, secure stream ciphers and have the added benefit of running in AEAD mode, which makes them suitable not only for TLS 1.2, but meets the security requirements for TLS 1.3 as well.

      Solution

      For TLS 1.2 three new cipher suites will be added to JSSE as defined in RFC 7905. They are:

      • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

      For TLS 1.3 one additional cipher suite will be added, as called out in RFC 8446:

      • TLS_CHACHA20_POLY1305_SHA256

      All four cipher suites will be part of the default-enabled collection of cipher suites. That said, these two collections of cipher suites are exclusive to specific protocol versions (i.e. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cannot be used with TLS 1.3, and TLS_CHACHA20_POLY1305_SHA256 may not be used for TLS 1.2). It is permissible to have all four cipher suites asserted in an initial ClientHello TLS handshake message, as the protocol version may not have been determined yet. In cases where the client protocol version is limited exclusively to TLS 1.2 or TLS 1.3, only those suites allowed by those protocol version will be asserted in the ClientHello.

      Specification

      There are no new public classes or methods as part of this feature. The new cipher suite names for TLS 1.2 and TLS 1.3 will be added to the "SunJSSE Cipher Suites" section of the "The SunJSSE Provider" section of the "JDK Providers Documentation". The names themselves are identical to the cipher suite names listed in the Solution section.

      The SunJSSE Provider guide:

      TLS_AES_128_GCM_SHA256
      TLS_AES_256_GCM_SHA384
      +TLS_CHACHA20_POLY1305_SHA256
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      +TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      +TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      TLS_RSA_WITH_AES_256_GCM_SHA384
      TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
      TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
      +TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pkoppula Prasadarao Koppula
              Reporter:
              xuelei Xuelei Fan
              Reviewed By:
              Sean Mullan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: