Suite B Profile for Transport Layer Security (TLS) - RFC 5430
From Java™ 7 SR1, IBMJSSE2 supports the NSA Suite B Cryptography guidelines, which define the cryptographic algorithm policy for national security applications. See RFC 5430 - Suite B Profile for Transport Layer Security (TLS) for details.
To support the Suite B profile, the following system property is provided:
- com.ibm.jsse2.suiteB=128|192|false
-
This system property has the following parameters:
false
specifies not Suite B compliant. This value is the default.128
specifies the 128-bit minimum level of security.192
specifies the 192-bit minimum level of security.
When you set thecom.ibm.jsse2.suiteB
system property, IBMJSSE2 ensures adherence to the specified security level. IBMJSSE2 validates that the protocol, keys, and certificates are compliant with the requested profile.Note: Trusted certificates are not validated, because they are trusted by definition. It is your responsibility to verify that trusted certificates in the truststore comply with the Suite B profile.
The SDK includes two security properties for disabling specific cryptographic algorithms. When
the
com.ibm.jsse2.suiteB
property is set to 128
, use these
properties to disable cryptographic algorithms that do not comply with the 128-bit minimum level of
security. For example:jdk.tls.disabledAlgorithms = RSA, DSA, EC keySize < 256, EC keySize > 384, MD5, SHA1, SHA224, SHA512
jdk.certpath.disabledAlgorithms = RSA, DSA, EC keySize < 256, EC keySize > 384, MD5, SHA1, SHA224, SHA512
com.ibm.jsse2.suiteB
property is set to 192
, use
these properties to disable cryptographic algorithms that do not comply with the 192-bit minimum
level of security. For example:jdk.tls.disabledAlgorithms = RSA, DSA, EC keySize != 384, MD5, SHA1, SHA224, SHA256, SHA512
jdk.certpath.disabledAlgorithms = RSA, DSA, EC keySize != 384, MD5, SHA1, SHA224, SHA256, SHA512