JDK-8224520 : Support X25519 and X448 in TLS
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P2
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 13
  • Submitted: 2019-05-21
  • Updated: 2019-08-05
  • Resolved: 2019-05-28
Related Reports
CSR :  
JDK-8171279 - Support X25519 and X448 in TLS
Description
Summary
-------

Adds support for x25519/x448 Elliptic Curves ([RFC 7748][1]) to the JDK TLS implementation.

Problem
-------

[JEP 324][2] added KeyAgreement with ECC curves x25519/x448 to JDK 11.  These curves have desirable properties:

    ...constant-time implementation and an
    exception-free scalar multiplication that is resistant to a wide
    range of side-channel attacks, including timing and cache attacks.

These curves were recently added to the various IETF Transport Layer Security (TLS) specifications:

 - [RFC 8422][3] adds these curves to these existing RFCs [TLSv1][4]/[TLSv1.1][5]/[TLSv1.2][6]

 - [RFC 8446][7] defines these curves as part of TLSv1.3

Currently, the JDK SunJSSE provider does not support these curves.

Solution
--------

Add support for x25519/x448 in the SunJSSE implementation.

Almost all of the implementation changes are contained within the JDK internal SunJSSE provider code. 

x25519 is the most preferred named group in Chrome, Firefox, Opera, and Edge, so we will follow suit.

Specification
-------------

x25519/x448 will be added to the list of "enabled by default" named curves.

The only externally noticeable item is that the strings "x25519" and "x448" are now recognized in the java.lang.System configuration property "jdk.tls.namedGroups":

    jdk.tls.namedGroups="x25519, x448, secp521r1, secp256r1, ffdhe2048"

Proposed default ordered list of groups:

      // Primary XDH (RFC 7748) curves
      NamedGroup.X25519,

      // Primary NIST curves (i.e. used in TLSv1.3)
      NamedGroup.SECP256_R1,
      NamedGroup.SECP384_R1,
      NamedGroup.SECP521_R1,

      // Secondary XDH curves
      NamedGroup.X448,

      // Secondary NIST curves
      NamedGroup.SECT283_K1,
      NamedGroup.SECT283_R1,
      NamedGroup.SECT409_K1,
      NamedGroup.SECT409_R1,
      NamedGroup.SECT571_K1,
      NamedGroup.SECT571_R1,

      // non-NIST curves
      NamedGroup.SECP256_K1,

      // FFDHE 2048
      NamedGroup.FFDHE_2048,
      NamedGroup.FFDHE_3072,
      NamedGroup.FFDHE_4096,
      NamedGroup.FFDHE_6144,
      NamedGroup.FFDHE_8192,

  [1]: https://www.rfc-editor.org/rfc/rfc7748.txt
  [2]: https://openjdk.java.net/jeps/324
  [3]: https://www.rfc-editor.org/rfc/rfc8422.txt
  [4]: https://www.rfc-editor.org/rfc/rfc2246.txt
  [5]: https://www.rfc-editor.org/rfc/rfc4346.txt
  [6]: https://www.rfc-editor.org/rfc/rfc5246.txt
  [7]: https://www.rfc-editor.org/rfc/rfc8446.txt
Comments
Moving to Approved.
28-05-2019