Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Java and Old Hash Algorithms - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java and Old Hash Algorithms

David, one of our readers, emailed wih a question - when he tries to interact with a particular print driver, he gets a Java error:

PKIX path validation failed:
java.security.cert.CertPathValidatorException:
Algorithm constraints check failed: MD2withRSA

This error comes up because as of Java 7, MD2 hashing and any RSA hash under 1024 bits are disabled.  Since this is a (very) old printer driver, the fact that it still uses MD2 is not a surprise - but what to do next?

OK - the obvious answer is to upgrade out of the problem - if the driver has an update, apply it.  But how do we get to the interface given the Java situation?  The answer is buried in the Java config files - - edit the file java.securty, which in Windows is found at: "C:\Program Files (x86)\Java\jre7\lib\security"

In this file, you'll find the line:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Edit or comment out this line, and MD2 will work for you again. But don't leave it like this - this enables all those certs with weak hashes, which leaves you open to a world of hurt.  In this case, it gets you access back to the interface so you can upgrade to a newer version.  If there is no newer version, it gives you access until you can upgrade the hardware or app that's causing the problem.

===============
Rob VandenBrink
Metafore

Rob VandenBrink

489 Posts
ISC Handler
Actually was a bit of device management Java with the JAR embedded in the firmware of the printer, no update forthcoming there. Thank you for the work-around!

I'd like to see Oracle add the ability to trust particular JAR files based on a modern hash of the JAR itself. So if an enterprise or consumer has old printers or some other firmware-centric equipment they don't want to replace, they could add trusted for the embedded Java code without disabling strong signature checks in general. Would be handy for trusted unsigned Java as well. My experience is that most old Java (including this printer) will run fine with the latest Java 7 release.

However if Oracle did that, they would less able to collect on expensive Java 6 support contracts.
Starlight

34 Posts
In preparing for a Java upgrade in our organization, I was reading the release notes yesterday for version 7u40, just released Tuesday. They have added a "Deployment Rule Set" that will let us white-list apps so we don't have to keep disabling the extra security features they keep adding in order to run old apps. This looks good, and we'll be testing it out soon. Release Notes: http://www.java.com/en/download/faq/release_changes.xml
KeizerBill

5 Posts
Actually, I think application whitelisting is part of Java 7.
Check out: blogs.oracle.com/java-platform-group/entry/…
Does this do what you need?
Rob VandenBrink

489 Posts
ISC Handler
Yep, that's it. Thanks again.

Bit of a pain though. Write an XML file of exceptions
and package it as a JAR file signed with a locally
trusted certificate--would take hours. I'll stick with
allowing MD2 cert hashes for now as I don't have
a population of click-happy non-technical users
to worry about.
Starlight

34 Posts
Shiny new it seems, more on the subject from El Reg:

http://www.theregister.co.uk/2013/09/13/java_deployment_rule_set/
Starlight

34 Posts

Sign Up for Free or Log In to start participating in the conversation!