disabledAlgorithms "DHE keySize < 1024" support?

Bernd Eckenfels ecki at zusammenkunft.net
Sat May 23 15:18:07 UTC 2015


Am Sat, 23 May 2015 22:16:16 +0800
schrieb Xuelei Fan <xuelei.fan at oracle.com>:

> I did not get your ideas in the previous mail.
> "jdk.tls.disabledAlgorithms" is expected to work to disable weak DH
> keys (for example, ""DHE keySize < 768").  Can you describe your
> concern more?

This is exactly what I want to do. In order for a client to protect
against a Logjam attack it has to reject DHE groups with a prime
smaller than a safe size. This is at least 768 bit but more security
sensitive installation might want to restrict >1024 or even >2048 bit as
well.

Unfortiunatelly Java Clients accept 512bit (even when they do not offer
export grade ciphers). So a minimum fix would be to only accept 512bit
if it was offering export crypto. However making the minimum
configurable would be even better.

The current mechanism to restrict ciphers by key length does however
not work, it seems. I suspect it only works for explicitely geenrated
DH parameters but not received DHE groups.

I searched the ClientHandshaker for usages of algorithmConstraints, and
it does not use it for the DHE part. It only question KEY_AGREEMENT for
cipher suite selection. (But I am not so famiiar with the code, maybe
you can point me to a place where the DHE size would be validated).

Thinking about it, it might be possible to register an own
DiffieHellmann provider to enforce a limit, hm.

Gruss
Bernd


More information about the security-dev mailing list