JDK-6521495 : Lift 1024-bit long prime restriction on Diffie-Hellman
  • Type: Enhancement
  • Status: Closed
  • Resolution: Duplicate
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Priority: P3
  • Affected Version: 5.0,7,8
  • OS: linux
  • CPU: x86
  • Submit Date: 2007-02-05
  • Updated Date: 2016-07-08
  • Resolved Date: 2012-12-11
Related Reports
Duplicate :  
Relates :  
Description
A DESCRIPTION OF THE REQUEST :
Sun's JCE implementation imposes an artificial restriction on Diffie-Hellman primes. When passing a DHParameterSpec generated with a 2048-bit long modulus, class DHKeyPairGenerator will throw an exception indicating that "Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)."

Please allow for module sizes beyond the 1024-bit limit.

JUSTIFICATION :
Primes under 1024 bits don't provide an adecuate match to nowadays hardware and state-of-the-art algorithms, such as AES.
Please refer to RFC 3526 for an official submission that defines standard primes between 2048 and 8192 for the Diffie-Hellman algorithm.

Furthermore, the SSH2 protocol recommends and requires support of 2048-bit long groups over the now deprecated smaller groups. See RFC 4253 ��8.2 for further information.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Primes of arbitrary length are supported for the Diffie-Hellman key agreement, as long as the length is multiple of 64.
ACTUAL -
Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive).

---------- BEGIN SOURCE ----------
See section "Diffie-Hellman Key Exchange between 2 Parties" in Appendix F of the JavaTM Cryptography Extension (JCE) Reference Guide published by Sun. Either modify the application to generate 2048-bit long primes or modify static array skip1024ModulusBytes to contain twice as many elements (the actual content shouldn't matter for this particular test).
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Using BouncyCastle's JCE implementation, which doesn't impose this restriction, or resorting to the BigNumber API directly.

Comments
EVALUATION Also consider lifting the same restriction on DSA (6560751)
2010-05-10