Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8330843

Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11

XMLWordPrintable

    • behavioral
    • minimal
    • Hide
      When the SunPKCS11 provider configuration attribute "cipherTextStealingVariant" is unspecified, the CKM_AES_CTS mechanism is disabled (except for NSS whose implementation variant is already known to be CS1). If CKM_AES_CTS is disabled, existing applications will not use the newly added CTS support from the SunPKCS11 provider and there should be no impact to them.
      Users are required to know which CTS variant is implemented by the underlying PKCS #11 library and set the configuration accordingly. SunPKCS11 provider will adjust the output data based on the value of the "cipherTextStealingVariant" attribute. The output data is always in the CS3 variant in order to maintain interoperability with the AES/CTS/NoPadding implementation of the SunJCE provider.
      Show
      When the SunPKCS11 provider configuration attribute "cipherTextStealingVariant" is unspecified, the CKM_AES_CTS mechanism is disabled (except for NSS whose implementation variant is already known to be CS1). If CKM_AES_CTS is disabled, existing applications will not use the newly added CTS support from the SunPKCS11 provider and there should be no impact to them. Users are required to know which CTS variant is implemented by the underlying PKCS #11 library and set the configuration accordingly. SunPKCS11 provider will adjust the output data based on the value of the "cipherTextStealingVariant" attribute. The output data is always in the CS3 variant in order to maintain interoperability with the AES/CTS/NoPadding implementation of the SunJCE provider.
    • Other
    • JDK

      Summary

      Update the SunPKCS11 security provider to support the AES CBC with Ciphertext Stealing (CBC-CTS) Cipher algorithm for keys of 128, 192 and 256 bits. The underlying PKCS #11 library must support the CKM_AES_CTS mechanism for this feature to be available. In addition, the SunPKCS11 configuration attribute cipherTextStealingVariant must be set for non-NSS PKCS #11 libraries.

      Problem

      The SunPKCS11 security provider does not support the PKCS #11 CKM_AES_CTS native mechanism implementation from the underlying PKCS #11 library.

      Applications doing Kerberos authentication in environments where stronger algorithms are needed may use CTS-based encryption types such as aes256-cts-hmac-sha384-192. This lack of CTS support makes the SunJGSS security provider unable to do Kerberos authentication using the SunPKCS11 provider in such environments.

      Find mode information about the PKCS #11 mechanism CKM_AES_CTS below:

      The mechanism definition of CKM_AES_CTS refers to the Addendum to NIST Special Publication 800-38A, "Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode" document but does not prescribe which CTS variant to use. This left the door open for PKCS #11 implementers to make different assumptions and create interoperability issues. For example, the NSS Software Token implemented the CS1 variant (see here) but public clarification had to be given here. It is possible for other PKCS #11 libraries to implement different variants as the CS3 variant is the most popular choice since the SunJCE provider and Kerberos authentication use this variant.

      Solution

      Enhance the SunPKCS11 provider to support the following AES CTS transformations for the Cipher service type:

      • AES/CTS/NoPadding
      • AES_128/CTS/NoPadding
      • AES_192/CTS/NoPadding
      • AES_256/CTS/NoPadding

      To ensure interoperability with SunJCE and Kerberos, the SunPKCS11 provider needs to know the variant implemented by the underlying PKCS #11 library and convert the data if it is not in the CS3 variant. A new SunPKCS11 provider configuration attribute named cipherTextStealingVariant is introduced and must be set with any of the following values: CS1, CS2 or CS3 to indicate the CTS variant of the underlying PKCS #11 library, except for NSS as it is known to be CS1.

      Specification

      Make the following changes to the PKCS#11 Reference Guide.

      Update Table 5-1 Attributes in the PKCS#11 Provider Configuration File to add the following row:

      Attribute Value Description
      cipherTextStealingVariant One of CS1, CS2, or CS3 Specifies the CTS variant used by the PKCS#11 implementation, as described in Addendum to NIST Special Publication 800-38A, "Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode". For maximum interoperability, the SunPKCS11 provider uses the CS3 variant and will handle the data conversion if CS1 or CS2 is specified. If no variant is specified, the CKM_AES_CTS mechanism is disabled except for NSS whose implementation is known to be CS1.

      Update Table 5-3 Java Algorithms Supported by the SunPKCS11 Provider to add the following rows:

      Java Algorithm PKCS#11 Mechanisms
      Cipher.AES/CTS/NoPadding CKM_AES_CTS
      Cipher.AES_128/CTS/NoPadding CKM_AES_CTS
      Cipher.AES_192/CTS/NoPadding CKM_AES_CTS
      Cipher.AES_256/CTS/NoPadding CKM_AES_CTS

            fferrari Francisco Ferrari Bihurriet
            fferrari Francisco Ferrari Bihurriet
            Valerie Peng
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: