Sunday, July 31, 2011

Java™ SE 7 Release Security Enhancements - Weak Cryptography Control

Weak cryptographic algorithms can now be disabled in Java SE 7 release. The MD2 Message-Digest Algorithm was disabled by default in Sun PKIX provider and SunJSSE provider.

The MD2 algorithm is a cryptographic hash function developed by Ronald Rivest in 1989, and was published in 1992 as an Informational RFC (RFC 1319).; RFC 6149 moves RFC 1319/MD2 to historic status, "Since its publication, MD2 has been shown to not be collision-free, albeit successful collision attacks for properly implemented MD2 are not that damaging. Successful pre-image and second pre-image attacks against MD2 have been shown."

Although MD2 is no longer considered secure, it remains in use in public key infrastructures as part of certificates generated with MD2 and RSA. An a countermeasure of the vulnerability, Java SE has disabled MD2 algorithm in certification path building and validation.

You may wonder, Java SE has disabled MD2 algorithm in certification path building and validation in the latest releases and updates, what is the enhancement in Java SE 7?; Good question, NOT ONLY MD2, BUT ALSO MD4, MD5, or what else weak cryptographic algorithms, you can disable them in Java SE 7; and you also can disable cryptographic keys without enough strength key size. To control the usage of weak cryptographic algorithms, Java SE 7 introduces two new security properties, "jdk.certpath.disabledAlgorithms" and "jdk.tls.disabledAlgorithms".

The security property (and the syntax) of "jdk.certpath.disabledAlgorithms" is defined as:
# Algorithm restrictions for certification path (CertPath) processing
#
# In some environments, certain algorithms or key lengths may be undesirable
# for certification path building and validation.  For example, "MD2" is
# generally no longer considered to be a secure hash algorithm.  This section
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length.  This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
#   DisabledAlgorithms:
#       " DisabledAlgorithm { , DisabledAlgorithm } "
#
#   DisabledAlgorithm:
#       AlgorithmName [Constraint]
#
#   AlgorithmName:
#       (see below)
#
#   Constraint:
#       KeySizeConstraint
#
#   KeySizeConstraint:
#       keySize Operator DecimalInteger
#
#   Operator:
#       <= | < | == | != | >= | >
#
#   DecimalInteger:
#       DecimalDigits
#
#   DecimalDigits:
#       DecimalDigit {DecimalDigit}
#
#   DecimalDigit: one of
#       1 2 3 4 5 6 7 8 9 0
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
# Documentation" for information about Standard Algorithm Names.  Matching
# is performed using a case-insensitive sub-element matching rule.  (For
# example, in "SHA1withECDSA" the sub-elements are "SHA1" for hashing and
# "ECDSA" for signatures.)  If the assertion "AlgorithmName" is a
# sub-element of the certificate algorithm name, the algorithm will be
# rejected during certification path building and validation.  For example,
# the assertion algorithm name "DSA" will disable all certificate algorithms
# that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
# key size specified in number of bits.  For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
# Example:
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2
And the security property of "jdk.tls.disabledAlgorithms" is defined as:
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS.  This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including cipher
# suites selection, peer authentication and key exchange mechanisms.
#
# For PKI-based peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
# building and validation, including algorithms used in certificates, as
# well as revocation information such as CRLs and signed OCSP Responses.
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
#
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: This property is currently used by Oracle's JSSE implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
#   jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048

You are able to find the definition from java_home/jre/lib/security/java.security.
OK, let's look at more examples about how to control weak cryptographic algorithms and key strength.
MD5 is no longer acceptable where collision resistance is required such as digital signatures [RFC 6151]. However, there are still a lot of well-known certificates generated with MD5 based signature.
For RSA crypto-system, 512-bit keys no longer provide sufficient security for anything more than very short-term security needs [How large a key should be used in the RSA cryptosystem?]. RSA is widely used in the industry, for better interoperability, you may not be able to completely disable RSA crypto-system in your application. You may only accept strength enough RSA keys.
You may want to disable MD5 algorithms and RSA keys size less than 1024 bits in Sun PKIX provider. The security property may look like:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
For what ever reason, you may not like a particular TLS cipher suites, for example, "SSL_RSA_WITH_RC4_128_MD5/TLS_RSA_WITH_RC4_128_MD5". Of course, you can disable it in SunJSSE provider with:
jdk.tls.disabledAlgorithms=SSL_RSA_WITH_RC4_128_MD5

Yes, with these two security properties, you can control weak cryptographic algorithms and key sizes in Java VM globally. It is as you will!