Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8233607

Remove algorithms that use MD5 or DES from security requirements

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Approved
    • Icon: P3 P3
    • 14
    • security-libs
    • None
    • behavioral
    • low
    • Although we are removing the requirements, SE implementations can still support these algorithms or a 3rd-party JCE provider that supports them can be used. We are not removing the JDK implementations of these algorithms at this time.
    • Java API
    • SE

      Summary

      Remove Java SE requirements to implement security algorithms based on DES or MD5.

      Problem

      To improve portability and interoperability, Java SE implementations are required to support a minimum set of cryptographic algorithms for various security APIs. It makes sense to periodically review these requirements and remove algorithms or modes that are known to be weak and of which usage has declined significantly, such as DES and MD5.

      Solution

      Remove Java SE requirements to implement security algorithms based on DES or MD5 from various security APIs. The relevant classes are:

      • java.security.AlgorithmParameters
      • java.security.MessageDigest
      • javax.crypto.Cipher
      • javax.crypto.KeyGenerator
      • javax.crypto.Mac
      • javax.crypto.SecretKeyFactory

      These requirements will also be removed from the Security Algorithm Implementation Requirements section of the Java Security Standard Algorithm Names specification.

      Specification

      See attached webrev-01.zip.

        1. webrev.zip
          407 kB
        2. webrev-01.zip
          406 kB

            mullan Sean Mullan
            mullan Sean Mullan
            Xuelei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: