JEP 115: AEAD CipherSuites
| Author | Xuelei Fan |
| Organization | Oracle |
| Owner | Bradford Wetmore |
| Created | 2011/7/25 |
| Updated | 2013/2/21 |
| Type | Feature |
| State | Funded |
| Component | core/sec |
| Scope | JDK |
| RFE | 7030966 (6996769) |
| Discussion | security dash dev at openjdk dot java dot net |
| Start | 2011/Q4 |
| Effort | M |
| Duration | M |
| Endorsed-by | Brian Goetz |
| Funded-by | Oracle |
| Release | 8 |
| Target | M7 |
Summary
Support the AEAD/GCM cipher suites defined by SP-800-380D, RFC 5116, RFC 5246, RFC 5288, RFC 5289 and RFC 5430.
Goals
-
Implement the AEAD/GCM crypto algorithm in the JCA/JCE/PKCS11 providers.
-
Update JCA/JCE, especially PKCS11, to support AEAD operations.
-
Implement AEAD/GCM based cipher suites in JSSE.
Motivation
As part of the U.S. National Security Agency’s Suite B effort (modernization of the national crypto infrastructure), the JDK needs to support the Galois Counter Mode (GCM) cipher mode for ciphers like AES. GCM is also being used in some new TLS cipher suites. GCM mode will be required for sales into the U.S. Government, and to other customers that need modern crypto technologies.
For Suite B TLS compliance, GCM cipher suites are REQUIRED to be used whenever both the client and the server support the necessary cipher suites. In order to be Suite-B compliant, GCM ciphers need to be supported in the default JSSE provider.
Description
Java SE has already defined the AEAD/GCM interfaces in JDK 7. In JDK 8 the JCA/JCE providers will implement these AEAD/GCM interfaces. We’re also likely to add some additional mechanisms for PKCS11, if the current PKCS11 standard supports it.
This feature will support the following cipher suites in the default JSSE implementation:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5430, RFC 5289)
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5430, RFC 5289)
- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
- TLS_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (RFC 5288)
- TLS_DH_anon_WITH_AES_128_GCM_SHA256 (RFC 5288)
- TLS_DH_anon_WITH_AES_256_GCM_SHA384 (RFC 5288)
Note that in order to support the GCM AEAD cipher suite in JSSE, the GCM cipher implementation is required in the JCA/JCE PKCS11 provider.
Testing
- Need to verify that the new interfaces behave as expected.
- Need to verify that the implementation doesn’t break backward compatibility in unexpected ways.
- Need to verify that the implementation doesn’t bring new interoperability issues in unexpected ways.
Impact
- JCP: no impact on JCP
- Other JDK components: no impact on other JDK components
- Compatibility: minimal
- Security: no impact on security
- Portability: limit impact on portability
- User Interface: no graphic user interface
- Documentation: need to doc the new feature
- Internationalization: minimal impact, likely to add new error messages
- Localization: minimal impact, likely to add new error messages
- Legal: no legal issue
- Other: no known other impact
