Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8269299

ChaCha20 and Poly1305 TLS Cipher Suites

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P2 P2
    • 11-pool
    • security-libs
    • None
    • minimal
    • JDK

      Summary

      Add ChaCha20-Poly1305 cipher suites to JSSE. This will include cipher suites specific to TLS 1.2 and TLS 1.3. No changes from JDK12, CSR JDK-8204192

      Problem

      Prior to the introduction of ChaCha20-Poly1305 suites, there were no stream-cipher based suites for TLS that were considered secure given modern computing capabilities. The ChaCha20-Poly1305 cipher suites use efficient, secure stream ciphers and have the added benefit of running in AEAD mode, which makes them suitable not only for TLS 1.2, but meets the security requirements for TLS 1.3 as well.

      Solution

      For TLS 1.2 three new cipher suites will be added to JSSE as defined in RFC 7905. They are:

      • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

      For TLS 1.3 one additional cipher suite will be added, as called out in RFC 8446:

      • TLS_CHACHA20_POLY1305_SHA256

      All four cipher suites will be part of the default-enabled collection of cipher suites. That said, these two collections of cipher suites are exclusive to specific protocol versions (i.e. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cannot be used with TLS 1.3, and TLS_CHACHA20_POLY1305_SHA256 may not be used for TLS 1.2). It is permissible to have all four cipher suites asserted in an initial ClientHello TLS handshake message, as the protocol version may not have been determined yet. In cases where the client protocol version is limited exclusively to TLS 1.2 or TLS 1.3, only those suites allowed by those protocol version will be asserted in the ClientHello.

      Specification

      There are no new public classes or methods as part of this feature. The new cipher suite names for TLS 1.2 have already been added to the "JSSE Cipher Suite Names" section of the "Java Security Standard Algorithm Names" document, but the TLS 1.3 suite is not currently present and will be added. All four names will also be added to the "JSSE Cipher Suite Parameters" section of the "Java Secure Socket Extension (JSSE) Reference Guide". The names themselves are identical to the cipher suite names listed in the Solution section.

      Standard Names:

      Cipher Suite Code Standard Name Valid for DTLS Exportable? Deprecated (Protocol) Introduced (Protocol) References
      0x13, 0x03 TLS_CHACHA20_POLY1305_SHA256 No No N/A TLSv1.3 RFC 7905

      JSSE Reference Guide:

      Standard Name Key Exchange Algorithm Bulk Cipher Algorithm Message Auth Algorithm
      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE_RSA ChaCha20 Poly1305
      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE_ECDSA ChaCha20 Poly1305
      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE_RSA ChaCha20 Poly1305
      TLS_CHACHA20_POLY1305_SHA256 N/A ChaCha20 Poly1305

            abakhtin Alexey Bakhtin
            xuelei Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: