Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8214331

Restrict Sasl mechanisms

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 13
    • security-libs
    • None
    • behavioral
    • minimal
    • The default property value is empty so there is no out-of-box behavior change.
    • System or security property
    • JDK

      Summary

      Provide a security property to restrict the mechanisms used by SASL.

      Problem

      https://tools.ietf.org/html/rfc6331 states that "The MD5 hash is sufficiently weak to make a brute force attack on DIGEST-MD5 easy with common hardware." DIGEST-MD5 was intended to be an improvement over CRAM-MD5, which also has various weaknesses. Finally, PLAIN is even weaker since the password is sent as plaintext and not protected.

      That said, SASL is often used within a secure channel (For example, SMTP with STARTTLS) and in this case even PLAIN may be acceptable when the communication is protected by TLS (although it is still preferable to use a stronger mechanism in case the TLS server is compromised). This is similar to using the Basic WWW-Authenticate scheme in HTTPS.

      Solution

      Add a security property to disable these SASL mechanisms. The default value is empty which means no mechanism is disabled out-of-box. The user can set it to include more mechanisms, especially if their application protocol is not protected by a secure channel like TLS.

      Specification

      Changes to src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java:

      /*
 * @implNote
 * ....
 * If a mechanism is listed in the
 * {@code jdk.sasl.disabledMechanisms} security property,
 * it will be ignored and won't be negotiated.
 */
public static SaslClient createSaslClient(
    String[] mechanisms,
    String authorizationId,
    String protocol,
    String serverName,
    Map<String,?> props,
    CallbackHandler cbh);

/*
 * @implNote
 * ....
 * If {@code mechanism} is listed in the
 * {@code jdk.sasl.disabledMechanisms} security property,
 * it will be ignored and this method will return {@code null}.
 */
public static SaslServer
    createSaslServer(String mechanism,
                String protocol,
                String serverName,
                Map<String,?> props,
                javax.security.auth.callback.CallbackHandler cbh)

      Add the following lines into conf/security/java.security:

      #
# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
#
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
# These mechanisms will be ignored if they are specified in the mechanisms argument
# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
#
# The value of this property is a comma-separated list of SASL mechanisms.
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
#   jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
jdk.sasl.disabledMechanisms=

            weijun Weijun Wang
            weijun Weijun Wang
            Sean Mullan, Valerie Peng
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: