Please Review: required security algorithms for Java SE 7 implementations

Florian Weimer fweimer at bfk.de
Wed Dec 15 07:38:44 PST 2010


* Sean Mullan:

> Please review the following list:
> http://cr.openjdk.java.net/~mullan/5001004/review.00/StandardNames.html#impl

"SHA-1" or "SHA1"?  (Our code uses "SHA1" for some reason, perhaps for
consistency with "HmacSHA1".)

I think the TLSv1 cipher suite list is effectively much longer.
Correct?

There should also be some sort of factory to obtain the predefined
algorithms.  Instantiation through the framework is quite slow.  For
message digests, we currently rely on cloning a prototype object of
the appropriate digest.

SecureRandom is still underspecified.  Most applications want an
algorithm which cannot block and will not wait for true, physical
randomness to arrive.  If such applications accidentally use a
blocking generator (such as /dev/random on Linux without special
hardware support), then things don't work at all, and perhaps
developers will use java.util.Random instead.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the security-dev mailing list