https之DHE keys 大小修改

修改Ephemeral Diffie-Hellman Keys大小

jdk.tls.ephemeralDHKeySize

可以修改jdk的jdk.tls.ephemeralDHKeySize=1024或者2048更高

如果是"服务器的瞬时Diffie-Hellman 公共密钥过弱"问题,还可以修改ssl的协议和密码套件(cipher suites)

参考http://www.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/jsse2Docs/customize_size_ephemeral.html


-------------------------------------下面是oracle关于DH keys介绍原文-----

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#customizing_dh_keys

Customizing Size of Ephemeral Diffie-Hellman Keys

Diffie-Hellman (DH) keys of sizes less than 1024 bits have been deprecated because of their insufficient strength. In JDK 8, you can customize the ephemeral DH key size with the system property jdk.tls.ephemeralDHKeySize. This system property does not impact DH key sizes in ServerKeyExchange messages for exportable cipher suites. It impacts only the DHE_RSA, DHE_DSS, and DH_anon-based cipher suites in the JSSE Oracle provider.

You can specify one of the following values for this property:

  • Undefined: A DH key of size 1024 bits will be used always for non-exportable cipher suites. This is the default value for this property.
  • legacy: The JSSE Oracle provider preserves the legacy behavior (for example, using ephemeral DH keys of sizes 512 bits and 768 bits) of JDK 7 and earlier releases.
  • matched: For non-exportable anonymous cipher suites, the DH key size in ServerKeyExchange messages is 1024 bits. For X.509 certificate based authentication (of non-exportable cipher suites), the DH key size matching the corresponding authentication key is used, except that the size must be between 1024 bits and 2048 bits. For example, if the public key size of an authentication certificate is 2048 bits, then the ephemeral DH key size should be 2048 bits unless the cipher suite is exportable. This key sizing scheme keeps the cryptographic strength consistent between authentication keys and key-exchange keys.
  • A valid integer between 1024 and 2048, inclusively: A fixed ephemeral DH key size of the specified value, in bits, will be used for non-exportable cipher suites.

The following table summaries the minimum and maximum acceptable DH key sizes for each of the possible values for the system property jdk.tls.ephemeralDHKeySize:

Value ofjdk.tls.ephemeralDHKeySizeUndefinedlegacymatchedInteger value (fixed)
Exportable DH key size512512512512
Non-exportable anonymous cipher suites10247681024The fixed key size is specified by a valid integer property value, which must be between 1024 and 2048, inclusively.
Authentication certificate1024768The key size is the same as the authentication certificate, but must be between 1024 bits and 2048 bits, inclusively. However, the SunJCE provider only supports 2048-bit DH keys larger than 1024 bits. Consequently, you may use the values 1024 or 2048 only.The fixed key size is specified by a valid integer property value, which must be between 1024 and 2048, inclusively.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值