Monday Apr 18, 2011

Time back to blog

In the past two years, a few new features are designed in JDK 7. I will try to demonstrate some of them in this blog, especially weak cryptographic algorithm control and TLS 1.1/1.2.

Thursday Jun 18, 2009

TLS and NIST'S Policy on Hash Functions

NIST'S Policy on Hash Functions

March 15, 2006: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms. Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010. After 2010, Federal agencies may use SHA-1 only for the following applications: hash-based message authentication codes (HMACs); key derivation functions (KDFs); and random number generators (RNGs). Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols.

TLS specifics of hash functions

  1. MAC constructions

    A number of operations in the TLS record and handshake layer require a keyed Message Authentication Code (MAC) to protect message integrity or to construct key derivation functions.

    For TLS 1.0 and 1.1, the construction used is known as HMAC; TLS 1.2 still use HMAC, but it also decalares that "Other cipher suites MAY define their own MAC constructions, if needed."

  2. HMAC at handshaking

    HMAC can be used with a variety of different hash algorithms. However, TLS 1.0 and TLS 1.1 use it in the handshaking with two different algorithms, MD5(HMAC_MD5) and SHA-1(HMAC-SHA). Additionla hash algorithm can be defined by cipher suites and used to protect record data, but MD5 and SHA-1 are hard coded into the description of the handshaking for TLS 1.0 and TLS 1.1.

    TLS 1.2 move away from the hard coded MD5 and SHA-1, SHA-256 is the default hash function for all cipher suites defined in TLS 1.2, TLS 1.1, TLS 1.0 when TLS 1.2 is negotiated. TLS 1.2 also declares that "New cipher suites MUST explicitly specify a PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a stronger standard hash function", which means that the hash functions used at handshakeing should be SHA-256 at least.

  3. HMAC at protecting record

    For the HMAC operations used to protect record data, the hash funtion is defined by cipher suites. For example, the HMAC's hash function of cipher suite TLS_RSA_WITH_NULL_MD5 is MD5.

    TLS 1.0 and TLS 1.1 define three hash functions for HMAC, they are:

    • null
    • MD5
    • SHA1

    From TLS 1.2, new cipher suites may define their own MAC constructions except the default HMAC. TLS 1.2 defines five MAC algorithms, from the literal, it is straight forward to know the hash function used.

    • null
    • hmac_md5
    • hmac_sha1
    • hmac_sha256
    • hmac_sha384
    • hmac_sha512

  4. Pseudo-Random Function

    Pseudo-random function takes a key rule in TLS handshaking, it is used to calculate the master secret, calculate session keys, and verify the just negotiated algorithms via Finished message. TLS specifications define PRF based on HMAC.

    For TLS 1.0 and TLS 1.1, the PRF is created by splitting the secret into two halves and using one half to generate data with P_MD5 and the other half to generate data with P_SHA-1, then exclusive-ORing the outputs of these two expansion functions together.

    PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR P_SHA-1(S2, label + seed);

    TLS 1.2 defines a PRF based on HMAC as TLS 1.0/1.1, except that the hash algorithm used if SHA-256, "This PRF with the SHA-256 hash function is used for all cipher suites defined in this document and in TLS documents published prior to this document when TLS 1.2 is negotiated. New cipher suites MUST explicitly specify a PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a stronger standard hash function."

    Unlike TLS 1.0/1.1, the PRF of TLS 1.2 does not require to split the secret any more, only one hash function used:

    PRF(secret, label, seed) = P_<hash>(secret, label + seed)

  5. Hash function at ServerKeyExchange

    In the handshakeing message, ServerKeyExchage, for some exchande method, such as RSA, diffie_hellman, ec_diffie_hellman, ecdsa, etc., needs a so-called "signature" to protect the exchanged parameters.

    TLS 1.0 and TLS 1.1 use SHA-1 ( or with MD5 at the same time) to generate the digest for the "signature". While for TLS 1.2, the hash function may be other than SHA-1, it is varied with the ServerKeyExchange message context, such as "signature algorithm" extension, the server end-entity certificate.

  6. Server Certificates

    In TLS 1.0/1.1, there is no way for client to indicate the server what kind of server certificates it would accept. TLS 1.2 defines a extension, signature_algorithms, to indicate to the server which signature/hash algorithm pairs may be used in digital signatures. The hash algorithm could be one of:

    • none
    • md5
    • sha1
    • sha224
    • sha256
    • sha384
    • sha512

  7. Client Certificates

    In TLS 1.0/1.1, a TLS server could request a serial of types of client certificate, but the "type" here refer to the "signature" algorithm, which does not include the hash algorithm the certificate should be signed with. So a certificate signed with a stonger signature algorithm, such as RSA2048, but with a weak hash funtion, such as MD5, would meet the requirements. That's not enough.

    TLS 1.2 extends the CertificateRequest handshaking message with a addtional field, "supported_signature_algorithms", to indicate to the client which signature/hash algorithm pairs may be used in digital signatures. The hash algorithm could be one of:

    • none
    • md5
    • sha1
    • sha224
    • sha256
    • sha384
    • sha512

What the FIPS 140-2 Concern

In the last update of "Implementation Guidance for FIPSPUB 140-2", "The KDF in TLS is allowed only for the purpose of establishing keying material (in particular, the master secret) for a TLS session with the following restrictions, even though the use of the SHA-1 and MD5 hash functions are not consistent with in Table 1 or Table 2 of SP 800-56A: "

  1. The use of MD5 is allowed in the TLS protocol only; MD5 shall not be used as a general hash function.
  2. The maximum number of blocks of secret keying material that can be produced by repeated use of the pseudorandom function during a single call to the TLS key derivation function shall be 2\^32-1.

NIST's Policy Compliant profile for TLS

The NIST's policy on hash functions could be split into four principle. We discuss the profile according to the principles.

  • Principle 1: The SHA-2 family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and SHA-512) may be used by Federal agencies for all applications using secure hash algorithms.

    MD5 is not a FIPS approved hash functions, so first of all, the profile needs to disable all cipher suites with the MACAlgorith of MD5.

    • TLS_RSA_WITH_NULL_MD5
    • TLS_RSA_EXPORT_WITH_RC4_40_MD5
    • TLS_RSA_WITH_RC4_128_MD5
    • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    • TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
    • TLS_DH_anon_WITH_RC4_128_MD5
    • TLS_KRB5_WITH_DES_CBC_MD5
    • TLS_KRB5_WITH_3DES_EDE_CBC_MD5
    • TLS_KRB5_WITH_RC4_128_MD5
    • TLS_KRB5_WITH_IDEA_CBC_MD5
    • TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
    • TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5
    • TLS_KRB5_EXPORT_WITH_RC4_40_MD5

    SHA-2 family of hash functions are completely compliant to the policy. The profile is safe to enabled the those cipher suites based on SHA-2

    • TLS_RSA_WITH_NULL_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_DH_DSS_WITH_AES_128_CBC_SHA256
    • TLS_DH_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DH_DSS_WITH_AES_256_CBC_SHA256
    • TLS_DH_RSA_WITH_AES_256_CBC_SHA256
    • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    • TLS_DH_anon_WITH_AES_128_CBC_SHA256
    • TLS_DH_anon_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DH_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DH_RSA_WITH_AES_256_GCM_SHA384
    • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
    • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
    • TLS_DH_DSS_WITH_AES_128_GCM_SHA256
    • TLS_DH_DSS_WITH_AES_256_GCM_SHA384
    • TLS_DH_anon_WITH_AES_128_GCM_SHA256
    • TLS_DH_anon_WITH_AES_256_GCM_SHA384
    • TLS_PSK_WITH_AES_128_GCM_SHA256
    • TLS_PSK_WITH_AES_256_GCM_SHA384
    • TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
    • TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
    • TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
    • TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
    • TLS_PSK_WITH_AES_128_CBC_SHA256
    • TLS_PSK_WITH_AES_256_CBC_SHA384
    • TLS_PSK_WITH_NULL_SHA256
    • TLS_PSK_WITH_NULL_SHA384
    • TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
    • TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
    • TLS_DHE_PSK_WITH_NULL_SHA256
    • TLS_DHE_PSK_WITH_NULL_SHA384
    • TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
    • TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
    • TLS_RSA_PSK_WITH_NULL_SHA256
    • TLS_RSA_PSK_WITH_NULL_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_PSK_WITH_NULL_SHA256
    • TLS_ECDHE_PSK_WITH_NULL_SHA384

    Those cipher suites with MAC algorithm of SHA-1 are addressed at the follow principles.

  • Principle 2: Federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010.
    Profile ServerKeyExchange Message

    ServerKeyExchange depends on digital signature, the profile should stop using SHA-1 hash function for ServerKeyExchange handshaking message.

    TLS 1.0 and TLS 1.1 use SHA-1 ( or with MD5 at the same time) to generate the digest for the "signature". There is no way to disable SHA-1 in ServerKeyExchange handshaking message. ServerKeyExchange is a optional handshaking message," it is sent by the server only when the server certificate message (if sent) does not contain enough data to allow the client to exchange a premaster secret. This is true for the following key exchange methods:"

    • RSA_EXPORT (if the public key in the server certificate is longer than 512 bits)
    • DHE_DSS
    • DHE_DSS_EXPORT
    • DHE_RSA
    • DHE_RSA_EXPORT
    • DH_anon

    For TLS 1.0 and TLS 1.1, the profile needs to disable the above key exchange methods, for the purpose of preventing the ServerKeyExchange handshaking message occurred, by disabling the following cipher suites:

    • TLS_RSA_EXPORT_WITH_RC4_40_MD5
    • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    • TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    • TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    • TLS_DHE_DSS_WITH_DES_CBC_SHA
    • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    • TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    • TLS_DHE_RSA_WITH_DES_CBC_SHA
    • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
    • TLS_DH_anon_WITH_RC4_128_MD5
    • TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
    • TLS_DH_anon_WITH_DES_CBC_SHA
    • TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
    • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_DH_anon_WITH_AES_128_CBC_SHA
    • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_DH_anon_WITH_AES_256_CBC_SHA

    In TLS 1.2, the hash function used with ServerKeyExchange may be other than SHA-1, the following rules defined:

    • Signature Algorithm Extension: If the client has offered the "signature_algorithms" extension, the signature algorithm and hash algorithm used in ServerKeyExchange message MUST be a pair listed in that extension.

      Per this rule, the profile requires that the "signature_algorithms" extension sent by client should include only SHA-2 hash algorithms or stronger, and must not include the hash algorithms: "none", "md5", and "sha1".

    • Compatible with the Key in Server's EE Certificate: the hash and signature algorithms used in ServerKeyExchange message MUST be compatible with the key in the server's end-entity certificate.

      Per this rule, the profile requires that the server end-entity certificate must be signed with SHA-2 or stronger hash functions.

      Note that, at present, the DSA(DSS) may only be used with SHA-1, the profile will not allow server end-entity certificate signed with DSA(DSS).

    Profile Server Certificate

    In TLS 1.0/1.1, there is no way for client to indicate the server what kind of server certificates it would accept. What we can do here is from the point of programming and managerment, the profile requires all server certificates must be signed with SHA-2 or stronger hash functions, and carefully checking that there is no certificate in the chain signed with none SHA-2-or-stronger hash functions.

    In TLS 1.2, there is a protocol specified behavior, "signature_algorithms" extension. "If the client provided a 'signature_algorithms' extension, then all certificates provided by the server MUST be signed by a hash/signature algorithm pair that appears in that extension." Per the specific, the profile requires that the "signature_algorithms" extension sent by client should include only SHA-2 hash algorithms or stronger, and must not include the hash algorithms: "none", "md5", and "sha1"

    However, "signature_algorithms" extension is not a mandatory extension in TLS 1.2, while server does not receive the "signature_algorithms" extension, it also needs to ship the NIST principle. So the profile still requires all server certificates must be signed with SHA-2 or stronger hash functions from the point of programming and management.

    Profile Client Certificate

    In TLS 1.0/1.1, there is no way for server to indicate the client it would accept what kind of hash algorithm used to signed the client certificates. What we can do here is from the point of programming and managerment, the profile requires all client certificates must be signed with SHA-2 or stronger hash functions.

    TLS 1.2 extends the CertificateRequest handshaking message with a addtional field, "supported_signature_algorithms", to indicate to the client which signature/hash algorithm pairs may be used in digital signatures. The profile requires that the "supported_signature_algorithms" field must include only SHA-2 hash algorithms or stronger, and must not include the hash algorithms: "none", "md5", and "sha1".

  • Principle 3: After 2010, Federal agencies may use SHA-1 only for the following applications:
    • hash-based message authentication codes (HMACs);
    • key derivation functions (KDFs);
    • random number generators (RNGs).

    Except the ServerKeyExchange, server Certificate and client Certificate messages, the hash function used in TLS protocols is for HMAC, KDF or RNG, which is allowed by the policy. Need no addtional profile for this principle.

  • Principle 4: Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols.
  • TLS 1.0 and TLS 1.1 is totally depends on SHA-1 and MD5, there is no way to obey this principle. In order to fully remove the dependency on SHA-1/MD5, one have to upgrade to TLS 1.2 or later revisions.

A stric mode profile

  1. Disable all cipher suites which mac algorithm is MD5;
  2. Disable all cipher suites which may trigger ServerKeyExchange message;
  3. Accept only those certificates that signed with SHA-1 or stronger hash functions;
  4. Upgrade to TLS 1.2 for purpose of fully remove the dependence on weak hash functions.

Put it into practice

Currently, Java SDK does not support TLS 1.1 or later. The proposals talked here are for TLS 1.0, which is implemented by the default SunJSSE provider.

  1. Disable cipher suite

    JSSE has no APIs to disable a particular cipher suite, but there are APIs to set which cipher suites could be used at handshaking. Refer to SSLSocket.setEnabledCipherSuites(String[] suites), SSLServerSocket.setEnabledCipherSuites(String[] suites), SSLEngine.setEnabledCipherSuites(String[] suites) for detailed usage.

    By default, SunJSSE enables both MD5 and SHA-1 based cipher suites, and those cipher suites that trigger ServerKeyExchange massage. In FIPS mode, SunJSSE enable SHA-1 based cipher suites only, however some of those cipher suites that trigger ServerKeyExchange also enabled. So, considering the above strict mode profile, the coder must explicit call SSLX.setEnabledCipherSuites(String[] suites), and the parameter "suites" must not include MD5 based cipher suites, and those cipher suites triggering handshaking message, ServerKeyExchange.

  2. Constrain certificate signature algorithm
  3. The strict profile suggest all certificates should be signed with SHA-2 or stronger hash functions. In JSSE, the processes to choose a certificate for the remote peer and validate the certificate received from remote peer are controlled by KeyManager/X509KeyManager and TrustManager/X509TrustManager. By default, the SunJSSE provider does not set any limit on the certificate's hash functions. Considerint the above strict profile, the coder should customize the KeyManager and TrustManager, and limit that only those certificate signed with SHA-2 or stronger hash functions are available or trusted.

    Please refer to the section of X509TrustManager Interface in JSSE Reference Guide for details about how to customize trust manager by create your own X509TrustManager; and refer to the section of X509KeyManager Interface in JSSE Reference Guide for details about how to customize key manager by create your own X509KeyManager

Note that the above profile and suggestions are my personal understanding of the NIST's policy and TLS, they are my very peronal suggestions, instead of official proposals from Sun.

Linkage to the blog entry at simabc.blogspot.com

Tuesday Jun 16, 2009

JSSE Troubleshooting: Certificates Order in TLS Handshaking

Issue:

Failed with a exception: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed.

Example:

Test case:
     1  //
     2  // JSSE Troubleshooting: Disordered Certificate List in TLS Handshaking
     3  //
     4  import java.net.\*;
     5
     6  public class DisorderedCertificateList {
     7      public static void main(String[] Arguments) throws Exception {
     8          URL url = new URL("https://myservice.example.com/");
     9          URLConnection connection = url.openConnection();
    10
    11          connection.getInputStream().close();
    12      }
    13  }
	
Test environment:

The HTTPS server, myservice.example.com, is configurated with a certificate path that the certificates in the path is out of order. For example, the expected certificate path is server_certificate -> intermediate ca -> seld-signed root ca. However, the certificate path is configurated as server_certificate -> seld-signed root ca -> intermediate ca.

Test Result:
	Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
		at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
		at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1627)
		at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:204)
		at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:198)
		at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:994)
		at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:142)
		at sun.security.ssl.Handshaker.processLoop(Handshaker.java:533)
		at sun.security.ssl.Handshaker.process_record(Handshaker.java:471)
		at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:904)
		at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1132)
		at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1159)
		at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1143)
		at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:423)
		at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
		at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:997)
		at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
		at DisorderedCertificateList.main(DisorderedCertificateList.java:11)
	Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
		at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:266)
		at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:249)
		at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:172)
		at sun.security.validator.Validator.validate(Validator.java:235)
		at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
		at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
		at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
		at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:973)
		... 12 more
	Caused by: java.security.cert.CertPathValidatorException: subject/issuer name chaining check failed
		at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:153)
		at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:321)
		at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:186)
		at java.security.cert.CertPathValidator.validate(CertPathValidator.java:267)
		at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:261)
		... 19 more
	

Cause:

Per the TLS specification (page 39, section 7.4.2, RFC2246), the certificate list passed to server Certificate message or client Certificate message "is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it."

So, the certificate order of the above test case, server_certificate -> seld-signed root ca -> intermediate ca, is not a TLS specification compliant behavior, the TLS handshaking is expected to fail.

Solution:

Checking the TLS/SSL configuration, and make sure that the certificate list sent to peer is properly configuated and in order.


Linkage to the blog entry at simabc.blogspot.com

Friday May 29, 2009

JSSE Debug Logging With Timestamp

These days, I was asked about a strange network delay of input/output stream when migrating a TLS protected application to a new platform. The application is built on top of SunJSSE. They enabled debug with option "-Djavax.net.debug=all", however, because there is no timestamp in the debug output, the debug logging was not of much help.

Is there any way to enable JSSE debug logging with timestamp?  Definitely, the answer is YES.  It is straightforward.

Firstly,  create a class extends PrintStream,and override all println() methods. I used a static nested class here.

    final static class TimestampPrintStream extends PrintStream {
        TimestampPrintStream(PrintStream out) {
            super(out);
        }

        public void println() {
            timestamp();
            super.println();
        }

        public void println(boolean x) {
            timestamp();
            super.println(x);
        }

        public void println(char x) {
            timestamp();
            super.println(x);
        }

        public void println(int x) {
            timestamp();
            super.println(x);
        }

        public void println(long x) {
            timestamp();
            super.println(x);
        }

        public void println(float x) {
            timestamp();
            super.println(x);
        }

        public void println(double x) {
            timestamp();
            super.println(x);
        }

        public void println(char x[]) {
            timestamp();
            super.println(x);
        }

        public void println(String x) {
            timestamp();
            super.println(x);
        }

        public void println(Object x) {
            timestamp();
            super.println(x);
        }


        private void timestamp() {
            super.print("<Thread Id: " + Thread.currentThread().getId() + ">" +
                        "<Timestamp: " + System.currentTimeMillis() + ">    ");
        }
    }

 

Surely, you can change the timestamp() to what kind of codes you like. 

Then, insert into the following codes into a certain place, where the codes should be called before initialize a TLS connection, of your application. Simply, you can add it into the head of main() method.

        if (true) {
            AccessController.doPrivileged(new PrivilegedAction<Void>() {
                public Void run() {
                    System.setOut(new TimestampPrintStream(System.out));
                    System.setErr(new TimestampPrintStream(System.err));
                    return null;
                }
            });
        } 

You see, it is simple and straightforward.

Saturday May 23, 2009

FIPS 140 Compliant Mode for SunJSSE

In the Java™ 6 Security Enhancements, it says that "The SunJSSE provider now supports an experimental FIPS 140 compliant mode.  When enabled and used in combination with the SunPKCS11 provider and an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140 compliant."  Except that, we cannot find any more document on how to enable FIPS mode and how the FIPS mode works with SunJSSE. Normally, developers could a few hints from Andreas blog,. The Java PKCS#11 Provider and NSS, althought it is far from enough to understand the FIPS mode of SunJSSE. The following is a unpublished document, hope it helps.

 

FIPS 140 Compliant Mode for SunJSSE

In Sun's Java SE implementation version 6 or later, the SunJSSE provider, which contains the SSL/TLS implementation, can be configured to operate in a FIPS 140 compliant mode instead of its default mode. This document describes the FIPS 140 compliant mode (subsequently called "FIPS mode").

Configuring SunJSSE for FIPS Mode

SunJSSE is configured in FIPS mode by associating it with an appropriate FIPS 140 certified cryptographic provider that supplies the implementations for all cryptographic algorithms required by SunJSSE. This can be done in one of the following ways:

  1. edit the file ${java.home}/lib/security/java.security and modify the line that lists com.sun.net.ssl.internal.ssl.Provider to list the provider name of the FIPS 140 certified cryptographic provider. For example if the name of the cryptographic provider is SunPKCS11-NSS, change the line from

      security.provider.4=com.sun.net.ssl.internal.ssl.Provider

    to

      security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS

    The class for the provider of the given name must also be listed as a security provider in the java.security file.

  2. at runtime, call the constructor of the SunJSSE provider that takes a java.security.Provider object as a parameter. For example, if the variable cryptoProvider is a reference to the cryptographic provider, call new com.sun.net.ssl.internal.ssl.Provider(cryptoProvider).

  3. at runtime, call the constructor of the SunJSSE provider that takes a String object as a parameter. For example if the cryptographic provider is called SunPKCS11-NSS call new com.sun.net.ssl.internal.ssl.Provider("SunPKCS11-NSS"). A provider with the specified name must be one of the configured security providers.

Within a given Java process, SunJSSE can be used either in FIPS mode or in default mode, but not both at the same time. Once SunJSSE has been initialized, it is not possible to change the mode. This means that if one of the runtime configuration options is used (option 2 or 3), the configuration must take place before any SSL/TLS operation.

Note that only the specified configured provider will be used by the SunJSSE for any and all cryptographic operations. All other cryptographic providers including those included with the Java SE implementation will be ignored and not used.

Difference Between FIPS Mode and Default Mode

In FIPS mode, SunJSSE behaves in a way identical to default mode, except for the following differences.

In FIPS mode:

  • SunJSSE will perform all cryptographic operations using the cryptographic provider that was configured as described above. This includes symmetric and asymmetric encryption, signature generation and verification, message digests and message authentication codes, key generation and key derivation, random number generation, etc.

  • If the configured cryptographic provider reports any error by throwing an exception, SunJSSE will abort the current operation and propagate the exception to the application.

  • If the configured cryptographic provider believes it had a critical error such as a self test failure per FIPS guidelines, it needs to remain in an error state until it is re-initialized. The application using the SunJSSE configured with the FIPS cryptographic module will have to be restarted. This ensures that the FIPS module will not allow critical errors to compromise security.

  • Only TLS 1.0 and later can be used. SSL 2.0 and SSL 3.0 are not available. Any attempt to enable SSL 2.0 or 3.0 will fail with an exception.

  • The list of ciphersuites is limited to those that utilize appropriate algorithms. The current list of possible ciphersuites is given below. Any attempt to enable a ciphersuite not on the list will fail with an exception.

Ciphersuites Usable in FIPS Mode

The following is the current list of ciphersuites which can be used by SunJSSE in FIPS mode with their names and the id as assigned in the TLS protocol provided that the configured cryptographic FIPS module supports the necessary algorithms. Note that although SunJSSE uses the prefix SSL_ in the name of some of these ciphersuites, this is for compatibility with earlier versions of the specification only. In FIPS mode, SunJSSE will always use TLS 1.0 or later and implement the ciphersuites as required by those specifications.

SSL_RSA_WITH_3DES_EDE_CBC_SHA

0x000a

SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

0x0016

TLS_RSA_WITH_AES_128_CBC_SHA

0x002f

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

0x0032

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

0x0033

TLS_RSA_WITH_AES_256_CBC_SHA

0x0035

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

0x0038

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

0x0039

TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

0xC003

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

0xC004

TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

0xC005

TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

0xC008

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

0xC009

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

0xC00A

TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

0xC00D

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

0xC00E

TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

0xC00F

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

0xC012

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

0xC013

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

0xC014

TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA

0xC017

TLS_ECDH_anon_WITH_AES_128_CBC_SHA

0xC018

TLS_ECDH_anon_WITH_AES_256_CBC_SHA

0xC019

Conclusion

When SunJSSE is configured in FIPS 140 compliant mode together with an appropriate FIPS 140 certified cryptographic provider, for example Network Security Services (NSS) in its FIPS mode, SunJSSE is FIPS 140 compliant. 

 

About

A blog on security and networking

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today