Summary

Change the default key size for Hmac using SHA-2 and SHA-3 family of digests to the block size instead of the digest output length. Both the SunJCE and SunPKCS11 providers support Hmac key generation and will adopt the new default key sizes.

Problem

In RFC 2104 "HMAC: Keyed-Hashing for Message Authentication", it states that the the minimal recommended key length is the hash output length. In addition, it states that keys longer than the hash output length would not significantly increase the function strength. Then it also cautioned saying "A longer key may be advisable if the randomness of the key is considered weak." This leads to different default key sizes (from the hash output length to the block size) being used among vendors, protocols and even among JDK providers since the support for various Hmac algorithms are added throughout different times.

Solution

Considering that Hmac key lengths are recommended not to exceed the block size (otherwise its security strength would be induced due to the need to hashing it down for Hmac processing) and that the minimum recommended key length is hash output length, changing JDK providers to always use block size as default Hmac key sizes is good for the sake of consistency and security strength.

Specification

Update Table 4-17 "The SunJCE Provider Key Size Restrictions" under the JDK Providers Documentation in Security Developer's Guide with the new default Hmac key sizes. In addition, documenting the existing restriction requiring the secret key size to be at least 40 bits. Updated it with the rows below: