Harness SSL and JSSE: Key Size Control

Aged Bridge, Yulong River, Yangshuo, China
Aged Bridge, Yulong River, Yangshuo, China

Why Key Size Concerns


The key size is an important security parameter to determine the strength of cryptography algorithms. For example, RSA keys with fewer than 1024 bits are considered forgeable.  If RSA keys less than 1024 bits are used in X.509 certificates, the private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

On August 14, 2012, Microsoft offered an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length.  As of October 9, 2012, the update is delivered via automatic update through the Microsoft update service.  Microsoft recommends that customers apply the update at the earliest opportunity.

Since JDK 7u12,  RSA keys less than 1024 bits in X.509 certificates are disabled.  This is in line with the NIST recommendations to move to a minimum of 2048-bit keys by January 1, 2014.  With this key size restriction, those who use X.509 certificates based on RSA keys less than 1024 bits will encounter compatibility issues with certification path building and validation.  This key size restriction also impacts components that based on X.509 certificates, for example signed JAR verification, SSL/TLS transportation, HTTPS connections, etc.

According to the SSL surveys on November 03, 2013, none out of around 200,000 SSL-enabled web sites based on Alexa's list of most popular sites are using keys below 1024 bits.  And according to another research targeted more wild scope, 0.96% (123,038) of 12,828,613 public live SSL hosts and 0.08%  (8,459)of  10,216,363 live SSH hosts in the world are using a key size of 512 bits.  In order to avoid any compatibility issue, applications are strongly recommended to renew their certificates with stronger keys. Or on your own risks, adjust the key size restriction property (jdk.certpath.disabledAlgorithms) to permit the smaller key sizes in case of any compatibility issue.

The impact on JSSE


Since JDK 7u12,  RSA keys less than 1024 bits in X.509 certificates are disabled.   This improvement directly impacts the behaviors of SunJSSE (Oracle JSSE provider) if certificate based authentication is used and the certification path contains RSA keys less than 1024 bits.

This restriction is limited via security property, "jdk.certpath.disabledAlgorithms" (See more "Java™ SE 7 Release Security Enhancements - Weak Cryptography Control" about this property). 
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

This security property was introduced since JDK 7.  There is no such handy approach in JDK 6 and 5.0 as the author wrote this blog.

Workarounds


If RSA keys less than 1024 bits in X.509 certificates have to be used in a certain circumstance, it is likely to run into compatibility because of this key size restriction.  Please adjust the key size restriction property (jdk.certpath.disabledAlgorithms) to permit small key sizes.  For example:
-    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512

Note that it is really risky.  One must understand and control the potential risks in the application runtime environment before enforcing this workaround.

Best Practices

  1. Put more weak key size restrictions.  Of course, please consider the potential compatibility issues.  For example, EC keys less than 160 bits and DSA keys less than 1024 bits may be also considered too weak to be acceptable.
       jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, \
                EC keySize < 160, DSA keySize < 1024
  2. Upgrade your X.509 certificate to use strong keys. At present, the preferable security strength is 128-bits (128 bits AES/3072 bits RSA/256 bits ECC/3072 bits DSA keys). 2048 bits RSA/DSA keys is also acceptable according to NIST recommendations (See also a summary of the time frame, NIST Security Strength Time Frames).
  3. Moving forward to use EC keys, which is more performance friendly. 
  4. Encourage to enforce more flexible algorithm (and key size) constraints in JSSE with javax.net.ssl.SSLParameters.setAlgorithmConstraints(AlgorithmConstraints).

Looking forward …

  1. Enforce and improve algorithm and key constraints in more components other than PKI and JSSE.

  2. In a long run, enforce more strict, wide and fine key size restriction by default, for example RSA and DSA keys must be great than 1024 bits when apply to data, and EC keys cannot be less than 224 bits.

Popular posts from this blog

TLS Server Name Indication Extension and Unrecognized_name

Image
Heavy Pond, Jianfengling National Forest Park, Ledong, Hainan, China It's getting hot that some TLS/HTTPS server failed with "unrecognized_name". For example, the Adobe AIR 3 Code Signing Certificate Problem , the ADT handshake alert , and the jarsigner issue with timestamp.geotrust.com , etc. This entry will discussion some background of the "unrecognized_name" alert, and the TLS Server Name Indication (SNI) extension. Background "Unrecognized_name" is an error alert, define by RFC4366 .  In section 4 of RFC4366 : - "unrecognized_name": this alert is sent by servers that receive a server_name extension request, but do not recognize the server name. This message MAY be fatal. And in section 3.1 of of RFC4366 : If the server understood the client hello extension but does not recognize the server name, it SHOULD send an "unrecognized_name" alert (which MAY be fatal). From above sections, we see that "unrecognized
Read more

JSSE Oracle Provider Preference of TLS Cipher Suites

Perference Order Value Description 1 0xC0,0x24 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 2 0xC0,0x28 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 3 0x00,0x3D TLS_RSA_WITH_AES_256_CBC_SHA256 4 0xC0,0x26 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 5 0xC0,0x2A TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 6 0x00,0x6B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 7 0x00,0x6A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 8 0xC0,0x0A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 9 0xC0,0x14 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 10 0x00,0x35 TLS_RSA_WITH_AES_256_CBC_SHA 11 0xC0,0x05 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 12 0xC0,0x0F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 13 0x00,0x39 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 14 0x00,0x38 TLS_DHE_DSS_WITH_AES_256_CBC_SHA 15 0xC0,0x23 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 16 0xC0,0x27 TLS_ECDHE_RSA_WITH_AES_1
Read more

JSSE Oracle Provider Default Disabled TLS Cipher Suites

The following TLS cipher suites are supported by Oracle provider, SunJSSE. These cipher suites are disabled by default because of one of the following reasons: obsoleted weak cipher suites anonymous cipher suites no encryption cipher suites (null cipher) Kerberos cipher suites Cipher suites for Kerberos (KRB5) need additional KRB5 service configuration, and these cipher suites are not common in practice. You are NOT supposed to use these cipher suites unless you really know what you're doing from a standpoint. Perference Value Description 1 0x00,0x6D TLS_DH_anon_WITH_AES_256_CBC_SHA256 2 0xC0,0x19 TLS_ECDH_anon_WITH_AES_256_CBC_SHA 3 0x00,0x3A TLS_DH_anon_WITH_AES_256_CBC_SHA 4 0x00,0x6C TLS_DH_anon_WITH_AES_128_CBC_SHA256 5 0xC0,0x18 TLS_ECDH_anon_WITH_AES_128_CBC_SHA 6 0x00,0x34 TLS_DH_anon_WITH_AES_128_CBC_SHA 7 0xC0,0x16 TLS_ECDH_anon_WITH_RC4_128_SHA 8 0x00,0
Read more