- Increase the length of the encryption key. This may negatively impact performance.
- Use a different encryption algorithm, for example, Elliptic Curve Cryptography (ECC). In next-generation key technology, RSA will be 2048 bits and ECC will be 224 bits. Note that these two type of keys have the same ecnryption strength.
In this blog, I will summarize the steps needed for using HTTPS with ECC with the following configuration:
- GlassFish or Sun Java System Application Server 9
- The latest version of JDK 6 (beta2 - b81 or later)
- The latest version of NSS 3.11.1.
- For WinXP, you can download NSS, and NSPR, and unzip it to the directory
c:\nss\lib. - For other platforms, you compile NSS libraries as described in instructions.
- For WinXP, you can download NSS, and NSPR, and unzip it to the directory
c:\export\glassfish, JDK 6 is installed in
c:\jdk6 and the NSS binaries are located in c:\nss\lib.
- Configure your operation environment to run the GlassFish,
JDK 6, and NSS.
- For example in Windows, set the path variabled, as shown here:
set path=c:\jdk6\bin;c:\nss\lib;c:\export\glassfish\bin;%path% - For example, in Unix ksh, export these environment variables:
export PATH=/jdk6/bin:/export/glassfish/$PATH
export LD_LIBRARY_PATH=/nss/lib:$LD_LIBRARY_PATH
- For example in Windows, set the path variabled, as shown here:
- Create a provider configuration for NSS in
c:\ecc\nss.cfgas follows:
name=NSS
nssLibraryDirectory=c:\\nss\\lib
nssDbMode=noDb
attributes=compatibility - Add the NSS provider to the JDK 6 configuration by adding the following line in the file
c:\jdk6\jre\lib\security\java.security:security.provider.10=sun.security.pkcs11.SunPKCS11 c:\\ecc\\nss.cfg - Create an ECC key in JKS keystore using
keytool, where ${HOST} is hostname of your machine.
c:
cd \export\glassfish\domains\domain1\config
keytool -genkeypair -alias myecc -keyalg EC -keysize 224 -keystore keystore.jks -storepass changeit -dname "CN=${HOST}, OU=ECC Test 224, O=GlassFish" -keypass changeit - Update the version of the JDK used by GlassFish by updating
the value of
AS_JAVAin the filec:\export\glassfish\config\asenv.bat. - Start the GlassFish server if necessary.
asadmin start-domain domain1 - Update the certificate nickname of the HTTP listenser
http-listener-2tomyeccusing the Admin Console, which can be accessed by entering the following URL in your browser: http://serverName:4848
- Stop and then restart the GlassFish server in order for the
changes to become effective
asadmin stop-domain domain1
asadmin start-domain domain1 - To access the HTTPS with ECC, install the latest versions of
web browsers, as only the latest versions have support for ECC.
The latest versions can be found in here.
If you try access https://serverName:8181 using your existing browser, you will see an error message like this:
cannot communicate securely because they have no common encryption algorithms. - Configure the latest version of the browser to use an ECC
algorithm, for example,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, by following these steps:- Open your web browser.
- Enter the following URL in the browser: accessing
about:config. - In this window, set Filter to
security. - Select and double click
ssl3.ecdh_ecdsa_aes_128_sha
Now, you can access https://serverName:8181, the browser will prompt for accepting the certificate and you can verify that this is the ECC certificate that you just created.
A preliminary benchmark of HTTPS with ECC in GlassFish on the Windows XP platform shows that the performance of ECC is double that of RSA in next generation-key technology.
More details on using JDK 6 with NSS can be found in Andreas's blog: Elliptic Curve Cryptography in Java.