Download Word - Shibboleth JIRA

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
Document related concepts
no text concepts found
Transcript 
[OSJ-112] IDP 3.1 Wrong keysize Created: 16/Mar/15
Updated: 16/Mar/15 Resolved: 16/Mar/15
Status:
Project:
Component/s:
Affects Version/s:
Fix Version/s:
Closed
OpenSAML - Java
Security
3.1.0
3.1.1
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Environment:
Bug
[email protected]
Fixed
None
Not Specified
Issue Links:
Related
is related to JXT-120 Symmetric key generation for Triple D...
Priority:
Assignee:
Minor
Brent Putman
Not Specified
Not Specified
RHEL 6.6
JDK 8 r40
Tomcat8
Closed
Description
We are testing IDP 3.1 and discovered that when http://www.w3.org/2001/04/xmlenc#tripledes-cbc
is listed first in the SP's metadata first the following error is generated. We are running Oracle JDK
8 r40 on Tomcat8. We can work around this by changing the order of possible encrypting key
algorithms or removing tripledes-cbc, but we did find it odd and thought you might have seen this
before.
Exception:
2015-03-15 22:14:43,593 - ERROR [net.shibboleth.idp.saml.profile:-2] - Uncaught runtime
exception
java.security.InvalidParameterException: Wrong keysize: must be equal to 112 or 168
at com.sun.crypto.provider.DESedeKeyGenerator.engineInit(DESedeKeyGenerator.java:94)
==> idp-warn.log <==
2015-03-15 22:14:43,593 - ERROR [net.shibboleth.idp.saml.profile:-2] - Uncaught runtime
exception
java.security.InvalidParameterException: Wrong keysize: must be equal to 112 or 168
at com.sun.crypto.provider.DESedeKeyGenerator.engineInit(DESedeKeyGenerator.java:94)
Error Message:
Web Login Service - Uncaught Exception
A software error was encountered that prevents normal operation:
java.security.InvalidParameterException: Wrong keysize: must be equal to 112 or 168
Please report this problem to your Help Desk or administrative staff. It has also been logged for an
administrator to review.
Comments
Comment by Brent Putman [ 16/Mar/15 ]
Moving this to OpenSAML since that's where the bug actually is.
Comment by Brent Putman [ 16/Mar/15 ]
Pasting my response on the users list:
Yes, I'm familiar with the general issue. IIRC the Java JCA stuff is somewhat
inconsistent in what they consider to be the key size for triple DES keys. Some
security provider impls treat it as 192 and some treat it as 168 (or 112 if the DESede
variant which reuses the first DES key as the third key also).
I think it has to do with: Original DES keys were defined as 64 bits. However 8 bits
were defined as parity bits. This was back (in the 70's I think) when communications
channels weren't so reliable, so they built some parity bits right into the key itself. Or
something like that. So anyway, only 56 bits of actual key material.
So depending on whether they treat a DES key as 56 vs 64 bits, some impls treat a
triple DES key as either 168 or 192.
I'll look into it.
Comment by Brent Putman [ 16/Mar/15 ]
The above is confirmed. The AlgorithmDescriptor for this has a length of 192, which isn't wrong:
that's the length of a 3DES key. The problem is that the KeyGenerator impl of SunJCE provider in
both Java 7 and 8 only accepts 168 bits. BC on the other hand takes 168 or 192.
The fix is to just special case this to 168 bits, the common denominator, in the AlgorithmSupport
method that generates symmetric keys. A length of 168 is required to be supported per the JCA
docs:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#impl
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#impl
Leaving the getKeyLength(uri) method as-is, because that's used in key resolution stuff, and there
the key length really is 192 bits.
Generated at Wed Jun 07 20:27:11 EDT 2017 using JIRA 7.0.10#70120sha1:37e3d7a6fc4d580639533e7f7c232c925e554a6a.
Related documents
Australian Flag Draw (Powerpoint)
Australian Flag Draw (Powerpoint)
Java Fundamentals - Department of Computer Science
Java Fundamentals - Department of Computer Science
Chapter 1 questions
Chapter 1 questions
The arithmetic mean of two numbers x and y is defined to be (x + y
The arithmetic mean of two numbers x and y is defined to be (x + y
One. Clear the even-numbered bits of AX, leaving the other bits
One. Clear the even-numbered bits of AX, leaving the other bits
A Java Environment for High-Performance Computing
A Java Environment for High-Performance Computing
DATA ORGANIZATION - Ingenieria-en-Sistemas-de
DATA ORGANIZATION - Ingenieria-en-Sistemas-de
Java QUIZ
Java QUIZ
Popular Programming Languages
Popular Programming Languages
slides
slides
Introduction to Java - Brookwood High School
Introduction to Java - Brookwood High School
ppt file.
ppt file.
Polynomials in the Nation`s Service: Using Algebra to Design the
Polynomials in the Nation`s Service: Using Algebra to Design the