Diffie-Hellman : Java Glossary

In SSL (Secure Sockets Layer) (https:) secure communications, the two ends must decide on a shared secret key without having arranged one in advance. The original method for doing that was called Diffie-Hellman. Alternatives include:

• SIDH (Supersingular Isogeny Diffie–Hellman _Key _Exchange)is a post-quantum public key cryptographic algorithm used to establish a secret key between two parties over an otherwise insecure communications channel. It was designed to resist cryptanalytic attack by an adversary in possession of a quantum computer.
• Elliptic Curve Diffie-Hellman (ECDH-256)
• RSA (Rivest, Shamir and Adelman)

Java

By default, Java no longer supports Diffie-Hellman. This means SSL will fail on sites that don’t support some alternative that Java supports. In theory, you can patch Java to make it work. I have not had success. The way I deal with it is to use Excelsior Jet which uses its own SSL implementation that supports Diffie-Hellmen. To enable it, you can make various patches:

file by changing the jdk.tls.disabledAlgorithms property.

# Insert this code into java.security to turn Diffie Hellman back on

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, RC4

jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \
        RSA_EXPORT, \
        RC4_128, RC4_40, DES_CBC, DES40_CBC

You can also adjust:

// increase limit of Diffie-Hellman key size to 1024 or 2048
System.setProperty( "jdk.tls.ephemeralDHKeySize", "2048" );

or similar.

Java 1.8 now supports Diffie-Hellman 2048-bit MODP, when enabled. It used to support only 512 through 1024 bit.

Diffie-Helman will fail when the remote site demands a key bigger than 2048 bits. In that case, you can compile with Jet which supports larger keys, or use BouncyCastle.

Diffie-Hellman also uses SHA digests which are usually 128, 256 or 384 bits long.