JDK-8046105 : JEP 115: AEAD CipherSuites
  • Type: JEP
  • Component: security-libs
  • Priority: P4
  • Status: Closed
  • Resolution: Delivered
  • Fix Versions: 8
  • Submitted: 2011-07-25
  • Updated: 2017-08-11
  • Resolved: 2017-08-11
Related Reports
Relates :  
Relates :  
Relates :  
Description
Summary
-------

Support the AEAD/GCM cipher suites defined by SP-800-380D, RFC 5116, RFC 5246,
RFC 5288, RFC 5289 and RFC 5430.


Goals
-----

1. Implement the AEAD/GCM crypto algorithm in the JCA/JCE providers.

2. Update JCA/JCE, to support AEAD operations.

3. Implement AEAD/GCM based cipher suites in JSSE.


Motivation
----------

As part of the U.S. National Security Agency's Suite B effort (modernization of
the national crypto infrastructure), the JDK needs to support the Galois
Counter Mode (GCM) cipher mode for ciphers like AES.  GCM is also being used in
some new TLS cipher suites.  GCM mode will be required for sales into the U.S.
Government, and to other customers that need modern crypto technologies.

For Suite B TLS compliance, GCM cipher suites are REQUIRED to be used whenever
both the client and the server support the necessary cipher suites. In order
to be Suite-B compliant, GCM ciphers need to be supported in the default JSSE
provider.


Description
-----------

Java SE has already defined the AEAD/GCM interfaces in JDK 7.  In JDK 8 the
JCA/JCE providers will implement these AEAD/GCM interfaces. For PKCS#11 standard,
GCM support is defined in PKCS#11 V2.30 specification which is still a draft.
Thus, SunPKCS11 provider will not be enhanced to support GCM in JDK 8.

This feature will support the following cipher suites in the default JSSE
implementation:

  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5430, RFC 5289)
  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5430, RFC 5289)
  - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
  - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
  - TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
  - TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
  - TLS_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
  - TLS_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
  - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
  - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
  - TLS_DH_RSA_WITH_AES_128_GCM_SHA256 (RFC 5288)
  - TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (RFC 5288)
  - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (RFC 5288)
  - TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (RFC 5288)
  - TLS_DH_DSS_WITH_AES_128_GCM_SHA256 (RFC 5288)
  - TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (RFC 5288)
  - TLS_DH_anon_WITH_AES_128_GCM_SHA256 (RFC 5288)
  - TLS_DH_anon_WITH_AES_256_GCM_SHA384 (RFC 5288)

Note that in order to support the GCM AEAD cipher suites in JSSE, the GCM cipher
implementation must be available from at least one of the JCA/JCE providers.
Thus, as part of this JEP, SunJCE provider will be enhanced accordingly to
provider the required GCM support for JSSE AEAD cipher suites.


Testing
-------

  1. Need to verify that the new interfaces behave as expected.
  2. Need to verify that the implementation doesn't break backward
     compatibility in unexpected ways.
  3. Need to verify that the implementation doesn't bring new
     interoperability issues in unexpected ways.


Impact
------

  - JCP: no impact on JCP
  - Other JDK components: no impact on other JDK components
  - Compatibility: minimal
  - Security: no impact on security
  - Portability: limit impact on portability
  - User Interface: no graphic user interface
  - Documentation: need to doc the new feature
  - Internationalization: minimal impact, likely to add new error messages
  - Localization: minimal impact, likely to add new error messages
  - Legal: no legal issue
  - Other: no known other impact