JEP 115: AEAD CipherSuites

Author	Xuelei Fan
Owner	Bradford Wetmore
Type	Feature
Scope	JDK
Status	Closed / Delivered
Release	8
Component	security-libs
Discussion	security dash dev at openjdk dot java dot net
Effort	M
Duration	M
Endorsed by	Brian Goetz
Created	2011/07/25 20:00
Updated	2017/08/11 19:22
Issue	8046105

Summary

Support the AEAD/GCM cipher suites defined by SP-800-380D, RFC 5116, RFC 5246, RFC 5288, RFC 5289 and RFC 5430.

Goals

Implement the AEAD/GCM crypto algorithm in the JCA/JCE providers.
Update JCA/JCE, to support AEAD operations.
Implement AEAD/GCM based cipher suites in JSSE.

Motivation

As part of the U.S. National Security Agency's Suite B effort (modernization of the national crypto infrastructure), the JDK needs to support the Galois Counter Mode (GCM) cipher mode for ciphers like AES. GCM is also being used in some new TLS cipher suites. GCM mode will be required for sales into the U.S. Government, and to other customers that need modern crypto technologies.

For Suite B TLS compliance, GCM cipher suites are REQUIRED to be used whenever both the client and the server support the necessary cipher suites. In order to be Suite-B compliant, GCM ciphers need to be supported in the default JSSE provider.

Description

Java SE has already defined the AEAD/GCM interfaces in JDK 7. In JDK 8 the JCA/JCE providers will implement these AEAD/GCM interfaces. For PKCS#11 standard, GCM support is defined in PKCS#11 V2.30 specification which is still a draft. Thus, SunPKCS11 provider will not be enhanced to support GCM in JDK 8.

This feature will support the following cipher suites in the default JSSE implementation:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5430, RFC 5289)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5430, RFC 5289)
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
TLS_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
TLS_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (RFC 5288)
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (RFC 5288)
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (RFC 5288)
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (RFC 5288)
TLS_DH_anon_WITH_AES_128_GCM_SHA256 (RFC 5288)
TLS_DH_anon_WITH_AES_256_GCM_SHA384 (RFC 5288)

Note that in order to support the GCM AEAD cipher suites in JSSE, the GCM cipher implementation must be available from at least one of the JCA/JCE providers. Thus, as part of this JEP, SunJCE provider will be enhanced accordingly to provider the required GCM support for JSSE AEAD cipher suites.

Testing

Need to verify that the new interfaces behave as expected.
Need to verify that the implementation doesn't break backward compatibility in unexpected ways.
Need to verify that the implementation doesn't bring new interoperability issues in unexpected ways.

Impact

JCP: no impact on JCP
Other JDK components: no impact on other JDK components
Compatibility: minimal
Security: no impact on security
Portability: limit impact on portability
User Interface: no graphic user interface
Documentation: need to doc the new feature
Internationalization: minimal impact, likely to add new error messages
Localization: minimal impact, likely to add new error messages
Legal: no legal issue
Other: no known other impact