Java and security bits
Tuesday Oct 24, 2006
Firefox 2.0, ECC, and Java
Firefox 2.0 was just released today, you should get it! Among many other features it includes support for SSL/TLS ciphersuites that utilize Elliptic Curve Cryptography (ECC). They interoperate very nicely with the ECC support in JDK 6 that I described some time ago (here and here).
As Firefox enables these ciphersuites by default, you can try this out by visiting an ECC enabled HTTPS site such as
this one. If you are using Firefox 2.0, it will probably tell you Negotiated ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, which means it used ECDSA for authentication and an ephemeral ECDH key to exchange the session key.
Sun's Java implementation does not (yet) support ECC out-of-the-box, so you will need to configure the JRE to use an ECC crypto provider such as SunPKCS11 with the NSS library as described in my earlier blog entries.
For the morbidly curious, the JSSE debug output for an ECC TLS handshake with Firefox 2.0 is shown below:
bin/java -cp classes -Djavax.net.debug=ssl SSLServer -password password -port 8083 -p12 pkcs12/secp256r1server-secp256r1ca.p12 -ciphersuites .*_EC.*
Adding NSS provider...
keyStore is : pkcs12/secp256r1server-secp256r1ca.p12
keyStore type is : PKCS12
keyStore provider is :
init keystore
init keymanager of type SunX509
***
found key for : secp256r1server-secp256r1ca
chain [0] = [
[
Version: V1
Subject: CN=dev.experimentalstuff.com, OU=Test Server (secp256r1server-secp256r1ca), O=Sun Microsystems Laboratories, L=Mountain View, ST=CA, C=US
Signature Algorithm: SHA1withECDSA, OID = 1.2.840.10045.4.1
Key: SunPKCS11-NSS EC public key, 256 bits (id 1, session object)
public x coord: 32131082739532309006052354335386898145283035488892917034979324518693567360460
public y coord: 108304381050564926916211693822155985180348458417372376821658769170362639725898
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
Validity: [From: Tue Dec 06 13:30:15 PST 2005,
To: Thu Jan 14 13:30:15 PST 2010]
Issuer: CN=dev.experimentalstuff.com, OU=Test CA (secp256r1), O=Sun Microsystems Laboratories, L=Mountain View, ST=CA, C=US
SerialNumber: [ a0dd4f0c 73b5c23a]
]
Algorithm: [SHA1withECDSA]
Signature:
0000: 30 45 02 20 7F BE 32 64 5A 63 B2 21 C9 27 22 E8 0E. ..2dZc.!.'".
0010: 71 9F B0 00 83 A2 D9 43 0E DE A4 BE 92 4E 09 35 q......C.....N.5
0020: D0 4B 41 BC 02 21 00 C0 D0 3E E3 FC 15 78 4B ED .KA..!...>...xK.
0030: 8D E9 DD 80 B5 FB 89 C3 4A DF 72 F9 DD F2 BD 0A ........J.r.....
0040: A8 99 A2 F7 E2 C3 BA .......
]
***
trustStore is: pkcs12/secp256r1server-secp256r1ca.p12
trustStore type is : PKCS12
trustStore provider is :
init truststore
adding as trusted cert:
Subject: CN=dev.experimentalstuff.com, OU=Test Server (secp256r1server-secp256r1ca), O=Sun Microsystems Laboratories, L=Mountain View, ST=CA, C=US
Issuer: CN=dev.experimentalstuff.com, OU=Test CA (secp256r1), O=Sun Microsystems Laboratories, L=Mountain View, ST=CA, C=US
Algorithm: EC; Serial number: 0xa0dd4f0c73b5c23a
Valid from Tue Dec 06 13:30:15 PST 2005 until Thu Jan 14 13:30:15 PST 2010
trigger seeding of SecureRandom
done seeding SecureRandom
Listening...
matching alias: secp256r1server-secp256r1ca
Connection from /127.0.0.1
Thread-0, READ: TLSv1 Handshake, length = 185
*** ClientHello, TLSv1
RandomCookie: GMT: 15888 bytes = { 64, 161, 128, 199, 146, 107, 162, 95, 29, 73, 13, 5, 223, 120, 148, 21, 50, 68, 61, 200, 17, 226, 46, 42, 77, 179, 114, 175 }
Session ID: {69, 62, 246, 109, 153, 30, 123, 84, 183, 67, 29, 156, 133, 193, 76, 64, 230, 194, 153, 93, 254, 242, 146, 178, 173, 144, 51, 34, 153, 248, 234, 163}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension server_name, [host_name: dev.experimentalstuff.com]
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
***
%% Created: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA]
*** ServerHello, TLSv1
RandomCookie: GMT: 1161756607 bytes = { 253, 125, 68, 91, 100, 9, 6, 184, 5, 4, 122, 216, 183, 79, 152, 18, 205, 16, 151, 32, 138, 154, 67, 155, 128, 162, 222, 236 }
Session ID: {69, 63, 0, 191, 127, 74, 29, 254, 94, 30, 26, 14, 173, 161, 253, 198, 208, 57, 252, 107, 203, 64, 38, 187, 181, 66, 145, 180, 38, 76, 234, 141}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Compression Method: 0
***
Cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=dev.experimentalstuff.com, OU=Test Server (secp256r1server-secp256r1ca), O=Sun Microsystems Laboratories, L=Mountain View, ST=CA, C=US
Signature Algorithm: SHA1withECDSA, OID = 1.2.840.10045.4.1
Key: SunPKCS11-NSS EC public key, 256 bits (id 1, session object)
public x coord: 32131082739532309006052354335386898145283035488892917034979324518693567360460
public y coord: 108304381050564926916211693822155985180348458417372376821658769170362639725898
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
Validity: [From: Tue Dec 06 13:30:15 PST 2005,
To: Thu Jan 14 13:30:15 PST 2010]
Issuer: CN=dev.experimentalstuff.com, OU=Test CA (secp256r1), O=Sun Microsystems Laboratories, L=Mountain View, ST=CA, C=US
SerialNumber: [ a0dd4f0c 73b5c23a]
]
Algorithm: [SHA1withECDSA]
Signature:
0000: 30 45 02 20 7F BE 32 64 5A 63 B2 21 C9 27 22 E8 0E. ..2dZc.!.'".
0010: 71 9F B0 00 83 A2 D9 43 0E DE A4 BE 92 4E 09 35 q......C.....N.5
0020: D0 4B 41 BC 02 21 00 C0 D0 3E E3 FC 15 78 4B ED .KA..!...>...xK.
0030: 8D E9 DD 80 B5 FB 89 C3 4A DF 72 F9 DD F2 BD 0A ........J.r.....
0040: A8 99 A2 F7 E2 C3 BA .......
]
***
*** ECDH ServerKeyExchange
Server key: SunPKCS11-NSS EC public key, 256 bits (id 4, session object)
public x coord: 41103551421670399341109836546875106890936913242778497772126996963565414237940
public y coord: 239613684122793889555242688840662389694935726465297515556106527987677658165
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
Thread-0, WRITE: TLSv1 Handshake, length = 811
Thread-0, READ: TLSv1 Handshake, length = 70
*** ECDHClientKeyExchange
ECDH Public value: { 4, 203, 29, 110, 133, 147, 5, 220, 231, 168, 164, 2, 246, 207, 244, 15, 53, 226, 183, 34, 159, 145, 237, 3, 5, 116, 206, 129, 26, 185, 56, 23, 1, 77, 143, 62, 113, 35, 33, 205, 197, 222, 186, 246, 230, 80, 110, 6, 58, 209, 190, 83, 64, 171, 238, 106, 235, 142, 14, 116, 83, 177, 185, 159, 119 }
Finalizer, called close()
Finalizer, called closeInternal(true)
Finalizer, SEND TLSv1 ALERT: warning, description = close_notify
Finalizer, WRITE: TLSv1 Alert, length = 2
SESSION KEYGEN:
PreMaster Secret:
0000: 77 B3 89 45 81 06 95 72 1E EE 7F A8 B6 1A 78 71 w..E...r......xq
0010: 0B 96 16 FE 1B 12 43 69 DE 0A BA 0C A5 3A 41 9D ......Ci.....:A.
CONNECTION KEYGEN:
Client Nonce:
0000: 00 00 3E 10 40 A1 80 C7 92 6B A2 5F 1D 49 0D 05 ..>.@....k._.I..
0010: DF 78 94 15 32 44 3D C8 11 E2 2E 2A 4D B3 72 AF .x..2D=....*M.r.
Server Nonce:
0000: 45 3F 00 BF FD 7D 44 5B 64 09 06 B8 05 04 7A D8 E?....D[d.....z.
0010: B7 4F 98 12 CD 10 97 20 8A 9A 43 9B 80 A2 DE EC .O..... ..C.....
Master Secret:
0000: 1B 70 B1 AF BF 7C 0B C5 BC B0 5A 79 20 98 B7 BF .p........Zy ...
0010: 39 C3 4E 0F E1 AC BC 67 F2 C4 24 6D 3A 4A E0 C8 9.N....g..$m:J..
0020: 21 78 25 14 92 EC 1A 5B 6F 8F 19 9E 27 4B 71 71 !x%....[o...'Kqq
Client MAC write Secret:
0000: 43 FB F8 40 62 B3 38 AA F0 A8 5B 99 8A 5D 78 97 C..@b.8...[..]x.
0010: A0 C6 45 06 ..E.
Server MAC write Secret:
0000: 9F B5 91 77 85 41 93 B5 B2 AB 8D 7E 94 DC 30 FB ...w.A........0.
0010: 08 F6 78 A0 ..x.
Client write key:
0000: 31 49 24 99 73 3C 66 6D 0C F2 BC A7 6A 34 19 AC 1I$.s<fm....j4..
0010: A3 B0 DA F8 8A 57 18 B1 E5 A2 3F FF 9C 3E 3A A1 .....W....?..>:.
Server write key:
0000: 3F F3 3D 37 44 7C B8 19 60 1E 56 D0 CE D2 20 07 ?.=7D...`.V... .
0010: EE FD 21 85 3F A5 07 5F 81 65 D7 D5 D4 98 03 FF ..!.?.._.e......
Client write IV:
0000: 0D 75 A3 41 22 59 67 E8 35 E8 F8 DC 35 57 AB AD .u.A"Yg.5...5W..
Server write IV:
0000: F8 02 F5 1D F5 05 A4 0A 0B 75 78 84 E3 F2 F9 38 .........ux....8
Thread-0, READ: TLSv1 Change Cipher Spec, length = 1
Thread-0, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 193, 184, 147, 61, 66, 171, 182, 226, 135, 95, 174, 87 }
***
Thread-0, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 25, 166, 97, 246, 183, 66, 43, 44, 142, 13, 157, 113 }
***
Thread-0, WRITE: TLSv1 Handshake, length = 48
%% Cached server session: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA]
%% Invalidated: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA]
Ciphersuite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Thread-0, READ: TLSv1 Application Data, length = 672
Thread-0, WRITE: TLSv1 Application Data, length = 368
Thread-0, called close()
Thread-0, called closeInternal(true)
Thread-0, SEND TLSv1 ALERT: warning, description = close_notify
Thread-0, WRITE: TLSv1 Alert, length = 32
Thread-0, called close()
Thread-0, called closeInternal(true)
Posted at 23:09 Oct 24, 2006 by Andreas Sterbenz in Java |
Comments:
