JEP 115: AEAD CipherSuites
Author | Xuelei Fan |
Owner | Bradford Wetmore |
Type | Feature |
Scope | JDK |
Status | Closed / Delivered |
Release | 8 |
Component | security-libs |
Discussion | security dash dev at openjdk dot java dot net |
Effort | M |
Duration | M |
Endorsed by | Brian Goetz |
Created | 2011/07/25 20:00 |
Updated | 2017/08/11 19:22 |
Issue | 8046105 |
Summary
Support the AEAD/GCM cipher suites defined by SP-800-380D, RFC 5116, RFC 5246, RFC 5288, RFC 5289 and RFC 5430.
Goals
-
Implement the AEAD/GCM crypto algorithm in the JCA/JCE providers.
-
Update JCA/JCE, to support AEAD operations.
-
Implement AEAD/GCM based cipher suites in JSSE.
Motivation
As part of the U.S. National Security Agency's Suite B effort (modernization of the national crypto infrastructure), the JDK needs to support the Galois Counter Mode (GCM) cipher mode for ciphers like AES. GCM is also being used in some new TLS cipher suites. GCM mode will be required for sales into the U.S. Government, and to other customers that need modern crypto technologies.
For Suite B TLS compliance, GCM cipher suites are REQUIRED to be used whenever both the client and the server support the necessary cipher suites. In order to be Suite-B compliant, GCM ciphers need to be supported in the default JSSE provider.
Description
Java SE has already defined the AEAD/GCM interfaces in JDK 7. In JDK 8 the JCA/JCE providers will implement these AEAD/GCM interfaces. For PKCS#11 standard, GCM support is defined in PKCS#11 V2.30 specification which is still a draft. Thus, SunPKCS11 provider will not be enhanced to support GCM in JDK 8.
This feature will support the following cipher suites in the default JSSE implementation:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5430, RFC 5289)
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5430, RFC 5289)
- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
- TLS_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DH_anon_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DH_anon_WITH_AES_256_GCM_SHA384 (RFC 5288)
Note that in order to support the GCM AEAD cipher suites in JSSE, the GCM cipher implementation must be available from at least one of the JCA/JCE providers. Thus, as part of this JEP, SunJCE provider will be enhanced accordingly to provider the required GCM support for JSSE AEAD cipher suites.
Testing
- Need to verify that the new interfaces behave as expected.
- Need to verify that the implementation doesn't break backward compatibility in unexpected ways.
- Need to verify that the implementation doesn't bring new interoperability issues in unexpected ways.
Impact
- JCP: no impact on JCP
- Other JDK components: no impact on other JDK components
- Compatibility: minimal
- Security: no impact on security
- Portability: limit impact on portability
- User Interface: no graphic user interface
- Documentation: need to doc the new feature
- Internationalization: minimal impact, likely to add new error messages
- Localization: minimal impact, likely to add new error messages
- Legal: no legal issue
- Other: no known other impact