SP800-131A Compliance
From Java™ 7 SR1, the Java Security components and IBMJSSE2 support the requirements defined by the National Institute of Standards and Technology (NIST) Special Publications 800-131a. SP 800-131a strengthens security by defining which algorithms can be used, and minimum strengths. The new standard defines the transitioning of the cryptographic algorithms and key lengths from today to the new levels which will be required by the end of 2013. The transition period is defined as from today to the end of 2013. The transition period is a grace period given to customers and products to upgrade to the new minimum cryptographic requirements. SP800-131a compliance requires the use of stronger cryptographic keys and more robust algorithms. See Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths for more information.
- com.ibm.jsse2.sp800-131=strict|transition|off
-
This system property controls the following aspects of IBMJSSE2: the protocol and cipher suite to allow, the size of the ephemeral key strength to use, and the signatures and elliptic curves to allow. Verify that your certificates, and keys that are supplied to the trust manager and key manager, are SP800-131a compliant.
Set the property to
transition
to specify that SP800-131a transition compliance is requested.Set the property to
strict
to allow only strict adherence to the SP800-131a recommendation.See Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths for the new standards defined by Special Publication 800-131, and details about allowed protocols, cipher suites, and key strength.
com.ibm.jsse2.sp800-131
property is set to strict
, use these
properties to disable cryptographic algorithms that are defined by the SP800-131a standard as not
acceptable. For example:jdk.tls.disabledAlgorithms = RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, MD5
jdk.certpath.disabledAlgorithms = RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, SHA1, MD5
jdk.certpath.disabledAlgorithms = RSA keySize < 2048, DSA keySize < 2048, EC keySize < 224, SHA1 jdkCA & usage TLSServer, MD5