JDK-8204192 : ChaCha20 and Poly1305 Cipher Suites
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P4
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 12
  • Submitted: 2018-05-31
  • Updated: 2018-10-18
  • Resolved: 2018-09-12
Related Reports
CSR :  
Description
Summary
-------

Add ChaCha20-Poly1305 cipher suites to JSSE.  This will include cipher suites specific to TLS 1.2 and TLS 1.3.

Problem
-------

Prior to the introduction of ChaCha20-Poly1305 suites, there were no stream-cipher based suites for TLS that were considered secure given modern computing capabilities.  The ChaCha20-Poly1305 cipher suites use efficient, secure stream ciphers and have the added benefit of running in AEAD mode, which makes them suitable not only for TLS 1.2, but meets the security requirements for TLS 1.3 as well.

Solution
--------

For TLS 1.2 three new cipher suites will be added to JSSE as defined in [RFC 7905][rfc7905].  They are:

* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

[rfc7905]: https://tools.ietf.org/html/rfc7905

For TLS 1.3 one additional cipher suite will be added, as called out in [RFC 8446][rfc8446]:

* TLS_CHACHA20_POLY1305_SHA256

All four cipher suites will be part of the default-enabled collection of cipher suites.  That said, these two collections of cipher suites are exclusive to specific protocol versions (i.e. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cannot be used with TLS 1.3, and TLS_CHACHA20_POLY1305_SHA256 may not be used for TLS 1.2).  It is permissible to have all four cipher suites asserted in an initial ClientHello TLS handshake message, as the protocol version may not have been determined yet.  In cases where the client protocol version is limited exclusively to TLS 1.2 or TLS 1.3, only those suites allowed by those protocol version will be asserted in the ClientHello.

[rfc8446]: https://tools.ietf.org/html/rfc8446

Specification
-------------

There are no new public classes or methods as part of this feature.  The new cipher suite names for TLS 1.2 have already been added to the "JSSE Cipher Suite Names" section of the "Java Security Standard Algorithm Names" document, but the TLS 1.3 suite is not currently present and will be added.  All four names will also be added to the "JSSE Cipher Suite Parameters" section of the "Java Secure Socket Extension (JSSE) Reference Guide".  The names themselves are identical to the cipher suite names listed in the Solution section.


Standard Names:

|  Cipher Suite Code | Standard Name                |  Valid for DTLS | Exportable? |  Deprecated (Protocol) |  Introduced (Protocol) | References |
|--------------------|------------------------------|-----------------|-------------|------------------------|------------------------|------------|
| 0x13, 0x03         | TLS_CHACHA20_POLY1305_SHA256 | No              | No          | N/A                    | TLSv1.3                | RFC 7905   |


JSSE Reference Guide:

| Standard Name                                 |   Key Exchange Algorithm |  Bulk Cipher Algorithm |   Message Auth Algorithm |
|-----------------------------------------------|--------------------------|------------------------|--------------------------|
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   | ECDHE_RSA                | ChaCha20               | Poly1305                 |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | ECDHE_ECDSA              | ChaCha20               | Poly1305                 |
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     | DHE_RSA                  | ChaCha20               | Poly1305                 |
| TLS_CHACHA20_POLY1305_SHA256                  | N/A                       | ChaCha20               | Poly1305                 |



Comments
Moving to Approved.
12-09-2018

Moving to Provisional.
07-09-2018