Summary

Remove rarely used groups FFDHE_6144 and FFDHE_8192 from default list of TLS named groups.

After this change, if a server and a client have a default setup, during a TLS handshake the mentioned secret exchange options will be not be offered both from client and server sides.

It would downgrade the default maximum security level, although 6144 and 8192 key sizes are rarely used and computationally expensive.

After this fix, if there is an intent to use these groups, they should be enabled explicitly, for example:

-Djdk.tls.namedGroups=ffdhe6144,ffdhe8192

Problem

The named groups list is a list of possible algorithms+parameters to establish a shared secret between a client and a server during TLS handshake.

Currently the following named groups are offered: x25519mlkem768, x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192

For FFDHE* (Finite Field Diffie-Hellman Exchange) groups, where the number denotes the size of the modulus in bits, ffdhe2048 (112-bit security) is a minimum acceptable level, and ffdhe3072 (128-bit security) offers a good balance between speed and security, while ffhde4096 offers additional margin for high-security or long-term protection scenarios.

The last two groups (ffdhe6144 and ffdhe8192) are computationally expensive, have more memory pressure and thus rarely used in practice.

Considerations:

• Most applications don't need >128-bit security levels
• Elliptic curves (x25519, P-256) provide equivalent security with better performance.
• 10-30x higher CPU load (throwing in some numbers for comparison: ffdhe6144 40-150ms for private key / 100-400ms for public key / 100-400ms for shared secret; ffdhe3072: 5-20 ms for for private key / 10-30ms for public key/ 10-30ms for shared secret)
• Longer handshake time (ffdhe6144: 200-800ms, ffdhe3072: 50-100ms)
• 5-8 higher memory usage (ffdhe6144: 10-18kb per handshake, ffdhe3072: 4-5kb per handshake)
• Can cause timeouts
• Additinal battery drain for mobile/embedded devices

Solution

This change removes two last groups (ffdhe6144 and ffdhe8192) from the above list.

6144 and 8192 prime sizes may still be required for:

• Government/military applications may require >128-bit security
• Some security standards mandate availability of high-security options
• Regulatory requirements in certain industries

Also, the following long-term can be reasonable:

• Data encrypted today may need protection for 20+ years
• Cryptographic algorithms weaken over time
• May need to re-enable later as security requirements evolve

Specification

Leave only the following entries in the TLS named groups list: x25519mlkem768, x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096

PR: https://github.com/openjdk/jdk/pull/29577

Diff for archival purposes is attached.