SP800-131A Compliance

From Java™ 7 SR1, the Java Security components and IBMJSSE2 support the requirements defined by the National Institute of Standards and Technology (NIST) Special Publications 800-131a. SP 800-131a strengthens security by defining which algorithms can be used, and minimum strengths. The new standard defines the transitioning of the cryptographic algorithms and key lengths from today to the new levels which will be required by the end of 2013. The transition period is defined as from today to the end of 2013. The transition period is a grace period given to customers and products to upgrade to the new minimum cryptographic requirements. SP800-131a compliance requires the use of stronger cryptographic keys and more robust algorithms. See Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths for more information.

Use the following system property to specify that SP800-131a compliance is required:
com.ibm.jsse2.sp800-131=strict|transition|off

This system property controls the following aspects of IBMJSSE2: the protocol and cipher suite to allow, the size of the ephemeral key strength to use, and the signatures and elliptic curves to allow. Verify that your certificates, and keys that are supplied to the trust manager and key manager, are SP800-131a compliant.

Set the property to transition to specify that SP800-131a transition compliance is requested.

Set the property to strict to allow only strict adherence to the SP800-131a recommendation.

See Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths for the new standards defined by Special Publication 800-131, and details about allowed protocols, cipher suites, and key strength.

The SDK includes two security properties for disabling specific cryptographic algorithms. When the com.ibm.jsse2.sp800-131 property is set to strict, use these properties to disable cryptographic algorithms that are defined by the SP800-131a standard as not acceptable. For example:
  • jdk.tls.disabledAlgorithms = RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, MD5
  • jdk.certpath.disabledAlgorithms = RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, SHA1, MD5
  • Start of changes for service refresh 5 fix pack 10jdk.certpath.disabledAlgorithms = RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, SHA1 jdkCA & usage TLSServer, MD5End of changes for service refresh 5 fix pack 10
For more information about these properties, see Disabled and restricted cryptographic algorithms.