Details
-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
low
-
Although we are removing the requirements, SE implementations can still support these algorithms or a 3rd-party JCE provider that supports them can be used. We are not removing the JDK implementations of these algorithms at this time.
-
Java API
-
SE
Description
Summary
Remove Java SE requirements to implement security algorithms based on DES or MD5.
Problem
To improve portability and interoperability, Java SE implementations are required to support a minimum set of cryptographic algorithms for various security APIs. It makes sense to periodically review these requirements and remove algorithms or modes that are known to be weak and of which usage has declined significantly, such as DES and MD5.
Solution
Remove Java SE requirements to implement security algorithms based on DES or MD5 from various security APIs. The relevant classes are:
- java.security.AlgorithmParameters
- java.security.MessageDigest
- javax.crypto.Cipher
- javax.crypto.KeyGenerator
- javax.crypto.Mac
- javax.crypto.SecretKeyFactory
These requirements will also be removed from the Security Algorithm Implementation Requirements section of the Java Security Standard Algorithm Names specification.
Specification
See attached webrev-01.zip.
Attachments
Issue Links
- csr of
-
JDK-8214483 Remove algorithms that use MD5 or DES from security requirements
-
- Resolved
-