Posts

Showing posts from July, 2011

Java™ SE 7 Release Security Enhancements - Weak Cryptography Control

Weak cryptographic algorithms can now be disabled in Java SE 7 release. The MD2 Message-Digest Algorithm was disabled by default in Sun PKIX provider and SunJSSE provider.

The MD2 algorithm is a cryptographic hash function developed by Ronald Rivest in 1989, and was published in 1992 as an Informational RFC (RFC 1319).; RFC 6149 moves RFC 1319/MD2 to historic status, "Since its publication, MD2 has been shown to not be collision-free, albeit successful collision attacks for properly implemented MD2 are not that damaging. Successful pre-image and second pre-image attacks against MD2 have been shown."

Although MD2 is no longer considered secure, it remains in use in public key infrastructures as part of certificates generated with MD2 and RSA. An a countermeasure of the vulnerability, Java SE has disabled MD2 algorithm in certification path building and validation.

You may wonder, Java SE has disabled MD2 algorithm in certification path building and validation in the latest…

Time of ECC Algorithms in Web Services?

Image
It's a question, the answer depends on your application deployment. The browser market share in the following pie may be a fact of your consideration. From previous posts, I learned that out of the major market players, only Opera does not support ECC TLS cipher suites yet.

Oracle Launches Java 7

Source: www.oracle.com. Oracle Announces Availability of Java SE 7, you are able to download and try Java SE 7 right now.

You may also want to know Java™ SE 7 Release Security Enhancements. I may publish new post to introduce the new security features in the blog. Stay Tuned!

JSSE Oracle Provider Preference of TLS Cipher Suites

Perference OrderValueDescription10xC0,0x24TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA38420xC0,0x28TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA38430x00,0x3DTLS_RSA_WITH_AES_256_CBC_SHA25640xC0,0x26TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA38450xC0,0x2ATLS_ECDH_RSA_WITH_AES_256_CBC_SHA38460x00,0x6BTLS_DHE_RSA_WITH_AES_256_CBC_SHA25670x00,0x6ATLS_DHE_DSS_WITH_AES_256_CBC_SHA25680xC0,0x0ATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA90xC0,0x14TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA100x00,0x35TLS_RSA_WITH_AES_256_CBC_SHA110xC0,0x05TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA120xC0,0x0FTLS_ECDH_RSA_WITH_AES_256_CBC_SHA130x00,0x39TLS_DHE_RSA_WITH_AES_256_CBC_SHA140x00,0x38TLS_DHE_DSS_WITH_AES_256_CBC_SHA150xC0,0x23TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256160xC0,0x27TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256170x00,0x3CTLS_RSA_WITH_AES_128_CBC_SHA256180xC0,0x25TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256190xC0,0x29TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256200x00,0x67TLS_DHE_RSA_WITH_AES_128_CBC_SHA256210x00,0x40TLS_DHE_DSS_WITH_AES_128_CBC_SHA256220xC0,0x09TL…

Browser Safari Preference of TLS Cipher Suites

Perference OrderValueDescription10x00,0x2FTLS_RSA_WITH_AES_128_CBC_SHA20x00,0x35TLS_RSA_WITH_AES_256_CBC_SHA30x00,0x05TLS_RSA_WITH_RC4_128_SHA40x00,0x0ATLS_RSA_WITH_3DES_EDE_CBC_SHA50xC0,0x13TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA60xC0,0x14TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA70xC0,0x09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA80xC0,0x0ATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA90x00,0x32TLS_DHE_DSS_WITH_AES_128_CBC_SHA100x00,0x38TLS_DHE_DSS_WITH_AES_256_CBC_SHA110x00,0x13TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA120x00,0x04TLS_RSA_WITH_RC4_128_MD5
Note that the data was from the observation of the TLS ClientHello message when visiting a HTTPS web site from Safari 5.1.

Browser Opera Preference of TLS Cipher Suites

Perference
OrderValueDescription10x00,0xFFTLS_EMPTY_RENEGOTIATION_INFO_SCSV [1]20x00,0x6BTLS_DHE_RSA_WITH_AES_256_CBC_SHA25630x00,0x6ATLS_DHE_DSS_WITH_AES_256_CBC_SHA25640x00,0x69TLS_DH_RSA_WITH_AES_256_CBC_SHA25650x00,0x68TLS_DH_DSS_WITH_AES_256_CBC_SHA25660x00,0x3DTLS_RSA_WITH_AES_256_CBC_SHA25670x00,0x39TLS_DHE_RSA_WITH_AES_256_CBC_SHA80x00,0x38TLS_DHE_DSS_WITH_AES_256_CBC_SHA90x00,0x37TLS_DH_RSA_WITH_AES_256_CBC_SHA100x00,0x36TLS_DH_DSS_WITH_AES_256_CBC_SHA110x00,0x35TLS_RSA_WITH_AES_256_CBC_SHA120x00,0x67TLS_DHE_RSA_WITH_AES_128_CBC_SHA256130x00,0x40TLS_DHE_DSS_WITH_AES_128_CBC_SHA256140x00,0x3FTLS_DH_RSA_WITH_AES_128_CBC_SHA256150x00,0x3ETLS_DH_DSS_WITH_AES_128_CBC_SHA256160x00,0x3CTLS_RSA_WITH_AES_128_CBC_SHA256170x00,0x33TLS_DHE_RSA_WITH_AES_128_CBC_SHA180x00,0x32TLS_DHE_DSS_WITH_AES_128_CBC_SHA190x00,0x31TLS_DH_RSA_WITH_AES_128_CBC_SHA200x00,0x30TLS_DH_DSS_WITH_AES_128_CBC_SHA210x00,0x2FTLS_RSA_WITH_AES_128_CBC_SHA220x00,0x05TLS_RSA_WITH_RC4_128_SHA230x00,0x04TLS_RSA_WITH_RC4…

Google Chrome Preference of TLS Cipher Suites

Perference OrderValueDescription10xC0,0x0ATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA20xC0,0x14TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA30x00,0x88TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA40x00,0x87TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA50x00,0x39TLS_DHE_RSA_WITH_AES_256_CBC_SHA60x00,0x38TLS_DHE_DSS_WITH_AES_256_CBC_SHA70xC0,0x0FTLS_ECDH_RSA_WITH_AES_256_CBC_SHA80xC0,0x05TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA90x00,0x84TLS_RSA_WITH_CAMELLIA_256_CBC_SHA100x00,0x35TLS_RSA_WITH_AES_256_CBC_SHA110xC0,0x07TLS_ECDHE_ECDSA_WITH_RC4_128_SHA120xC0,0x09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA130xC0,0x11TLS_ECDHE_RSA_WITH_RC4_128_SHA140xC0,0x13TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA150x00,0x45TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA160x00,0x44TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA170x00,0x66TLS_DHE_DSS_WITH_RC4_128_SHA180x00,0x33TLS_DHE_RSA_WITH_AES_128_CBC_SHA190x00,0x32TLS_DHE_DSS_WITH_AES_128_CBC_SHA200xC0,0x0CTLS_ECDH_RSA_WITH_RC4_128_SHA210xC0,0x0eTLS_ECDH_RSA_WITH_AES_128_CBC_SHA220xC0,0x02TLS_ECDH_ECDSA_WITH_RC4_128_SHA230xC0…

Internet Explorer Preference of TLS Cipher Suites

Perference OrderValueDescription10x00,0x3CTLS_RSA_WITH_AES_128_CBC_SHA25620x00,0x2FTLS_RSA_WITH_AES_128_CBC_SHA30x00,0x3DTLS_RSA_WITH_AES_256_CBC_SHA25640x00,0x35TLS_RSA_WITH_AES_256_CBC_SHA50x00,0x05TLS_RSA_WITH_RC4_128_SHA60x00,0x0ATLS_RSA_WITH_3DES_EDE_CBC_SHA70xC0,0x27TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA25680xC0,0x13TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA90xC0,0x14TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA100xC0,0x2BTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256110xC0,0x23TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256120xC0,0x2CTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384130xC0,0x24TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384140xC0,0x09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA150xC0,0x0ATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA160x00,0x40TLS_DHE_DSS_WITH_AES_128_CBC_SHA256170x00,0x32TLS_DHE_DSS_WITH_AES_128_CBC_SHA180x00,0x6ATLS_DHE_DSS_WITH_AES_256_CBC_SHA256190x00,0x38TLS_DHE_DSS_WITH_AES_256_CBC_SHA200x00,0x13TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA210x00,0x04TLS_RSA_WITH_RC4_128_MD5
Note that the data was from the observation of th…

Firefox Preference of TLS Cipher Suites

OrderValueDescription10xC0,0x0ATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA20xC0,0x14TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA30x00,0x88TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA40x00,0x87TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA50x00,0x39TLS_DHE_RSA_WITH_AES_256_CBC_SHA60x00,0x38TLS_DHE_DSS_WITH_AES_256_CBC_SHA70xC0,0x0FTLS_ECDH_RSA_WITH_AES_256_CBC_SHA80xC0,0x05TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA90x00,0x84TLS_RSA_WITH_CAMELLIA_256_CBC_SHA100x00,0x35TLS_RSA_WITH_AES_256_CBC_SHA110xC0,0x07TLS_ECDHE_ECDSA_WITH_RC4_128_SHA120xC0,0x09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA130xC0,0x11TLS_ECDHE_RSA_WITH_RC4_128_SHA140xC0,0x13TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA150x00,0x45TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA160x00,0x44TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA170x00,0x33TLS_DHE_RSA_WITH_AES_128_CBC_SHA180x00,0x32TLS_DHE_DSS_WITH_AES_128_CBC_SHA190xC0,0x0CTLS_ECDH_RSA_WITH_RC4_128_SHA200xC0,0x0ETLS_ECDH_RSA_WITH_AES_128_CBC_SHA210xC0,0x02TLS_ECDH_ECDSA_WITH_RC4_128_SHA220xC0,0x04TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA230x00,0x9…

Compare TLS Cipher Suites for Web Browsers

The following table compares the default TLS cipher suites supported and enabled by web browsers [SOURCE] and Java SE 7. The comparison is not to show which browser is better, it is just a reference. ;-) Meanwhile, it does not mean the more cipher suites the browser supports, the better the browser is supposed to be.

ValueDescriptionReferenceFirefox 5.0IE 9.0Chrome 14.0Opera 11.50Safari 5.0Java SE 70x00,0x00TLS_NULL_WITH_NULL_NULL[RFC5246]





0x00,0x01TLS_RSA_WITH_NULL_MD5[RFC5246]





0x00,0x02TLS_RSA_WITH_NULL_SHA[RFC5246]





0x00,0x03TLS_RSA_EXPORT_WITH_RC4_40_MD5[RFC4346]





0x00,0x04TLS_RSA_WITH_RC4_128_MD5[RFC5246]0x00,0x05TLS_RSA_WITH_RC4_128_SHA[RFC5246]0x00,0x06TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5[RFC4346]





0x00,0x07TLS_RSA_WITH_IDEA_CBC_SHA[RFC5469]





0x00,0x08TLS_RSA_EXPORT_WITH_DES40_CBC_SHA[RFC4346]





0x00,0x09TLS_RSA_WITH_DES_CBC_SHA[RFC5469]





0x00,0x0ATLS_RSA_WITH_3DES_EDE_CBC_SHA[RFC5246]0x00,0x0BTLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA[RFC4346]





0x00,0x0CTLS_DH_DSS_WITH_DES_CBC_SHA[RF…