Support for NSA-approved algorithms?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Support for NSA-approved algorithms?

Ernie Kovak
Hello -

The NSA has issued a memorandum (see https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm) calling out their favorite crypto algorithms, and some agencies are now asking contractors to use them in addition to (or in lieu of?) FIPS 140-2 validated providers.

The application I work on is written in Java and uses BCFIPS for its JSSE and TLS provider. Is it possible to specify which crypto algorithms and elliptic curves, etc., the BC provider will use when putting together an SSL connection?

Thanks!
Ernie
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Support for NSA-approved algorithms?

john.kewley

I like Firefox's response to that link:

 

Your connection is not secure

 

The owner of www.iad.gov has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

 

JK

 

From: Ernie Kovak [mailto:[hidden email]]
Sent: Tuesday, April 04, 2017 3:15 PM
To: [hidden email]
Subject: [dev-crypto] Support for NSA-approved algorithms?

 

Hello -

 

The NSA has issued a memorandum (see https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm) calling out their favorite crypto algorithms, and some agencies are now asking contractors to use them in addition to (or in lieu of?) FIPS 140-2 validated providers.

 

The application I work on is written in Java and uses BCFIPS for its JSSE and TLS provider. Is it possible to specify which crypto algorithms and elliptic curves, etc., the BC provider will use when putting together an SSL connection?

 

Thanks!

Ernie

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Support for NSA-approved algorithms?

David Hook-3
In reply to this post by Ernie Kovak

I think you might be able to do this using the
jdk.tls.disabledAlgorithms setting - you'll find it in the java.security
file. I think adding

EC keySize != 384

might do it.

Regards,

David

On 05/04/17 00:15, Ernie Kovak wrote:

> Hello -
>
> The NSA has issued a memorandum
> (see https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm)
> calling out their favorite crypto algorithms, and some agencies are
> now asking contractors to use them in addition to (or in lieu of?)
> FIPS 140-2 validated providers.
>
> The application I work on is written in Java and uses BCFIPS for its
> JSSE and TLS provider. Is it possible to specify which crypto
> algorithms and elliptic curves, etc., the BC provider will use when
> putting together an SSL connection?
>
> Thanks!
> Ernie



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Support for NSA-approved algorithms?

Eckenfels. Bernd
Starting with the latest Java 8 update 121 you can also specify the named groups system property to limit to P-384.

    jdk.tls.namedGroups="secp384r1"


Sorry for beeing off-topic

--
http://www.seeburger.com
________________________________________
From: David Hook [[hidden email]]
Sent: Thursday, April 06, 2017 01:35
To: [hidden email]
Subject: Re: [dev-crypto] Support for NSA-approved algorithms?

I think you might be able to do this using the
jdk.tls.disabledAlgorithms setting - you'll find it in the java.security
file. I think adding

EC keySize != 384

might do it.

Regards,

David

On 05/04/17 00:15, Ernie Kovak wrote:

> Hello -
>
> The NSA has issued a memorandum
> (see https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm)
> calling out their favorite crypto algorithms, and some agencies are
> now asking contractors to use them in addition to (or in lieu of?)
> FIPS 140-2 validated providers.
>
> The application I work on is written in Java and uses BCFIPS for its
> JSSE and TLS provider. Is it possible to specify which crypto
> algorithms and elliptic curves, etc., the BC provider will use when
> putting together an SSL connection?
>
> Thanks!
> Ernie











SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Loading...