RFR: 8267319: Use larger default key sizes and algorithms based on CNSA
Valerie Peng
valeriep at openjdk.java.net
Wed Mar 2 00:21:47 UTC 2022
It's been several years since we increased the default key sizes. Before shifting to PQC, NSA replaced its Suite B cryptography recommendations with the Commercial National Security Algorithm Suite which suggests:
- SHA-384 for secure hashing
- AES-256 for symmetric encryption
- RSA with 3072 bit keys for digital signatures and for key exchange
- Diffie Hellman (DH) with 3072 bit keys for key exchange
- Elliptic curve [P-384] for key exchange (ECDH) and for digital signatures (ECDSA)
So, this proposed changes made the suggested key size and algorithm changes. The changes are mostly in keytool, jarsigner and their regression tests, so @wangweij Could you please take a look?
Thanks!
-------------
Commit messages:
- 8267319: Use larger default key sizes and algorithms based on CNSA
Changes: https://git.openjdk.java.net/jdk/pull/7652/files
Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=7652&range=00
Issue: https://bugs.openjdk.java.net/browse/JDK-8267319
Stats: 479 lines in 29 files changed: 321 ins; 6 del; 152 mod
Patch: https://git.openjdk.java.net/jdk/pull/7652.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/7652/head:pull/7652
PR: https://git.openjdk.java.net/jdk/pull/7652
More information about the core-libs-dev
mailing list