Please Review: required security algorithms for Java SE 7 implementations

Florian Weimer fweimer at bfk.de
Thu Dec 16 08:30:58 PST 2010


* Sean Mullan:

> On 12/15/10 10:38 AM, Florian Weimer wrote:
>> * Sean Mullan:
>>
>>> Please review the following list:
>>> http://cr.openjdk.java.net/~mullan/5001004/review.00/StandardNames.html#impl
>>
>> "SHA-1" or "SHA1"?  (Our code uses "SHA1" for some reason, perhaps for
>> consistency with "HmacSHA1".)
>
> "SHA-1" is the standard name, but Oracle's implementation (and
> probably most others) also accept "SHA1" as an alias.

Oh, and I just realized that MD5 and HmacMD5 are missing.  These
algorithms are still heavily used (and HmacMD5 is not really broken,
it's only guilty by association).

>> I think the TLSv1 cipher suite list is effectively much longer.
>> Correct?
>
> Yes, but only TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA is mandatory. See
> section 9 of RFC 2246: http://www.ietf.org/rfc/rfc2246.txt

I think it's prudent to require TLS_RSA_WITH_AES_128_CBC_SHA as well
(which is mandatory per RFC 5246).  And RFC 5746 support should be
required, too (which includes TLS_EMPTY_RENEGOTIATION_INFO_SCSV).

>> There should also be some sort of factory to obtain the predefined
>> algorithms.  Instantiation through the framework is quite slow.  For
>> message digests, we currently rely on cloning a prototype object of
>> the appropriate digest.
>
> There aren't any plans to add something like this for JDK 7, but
> perhaps we can consider it for JDK 8. If you could sketch out a few
> more details of what you think the API would look like, that would
> help.

Basically, I'd like to have a class which provides reasonable default
implementations for common mandatory algorithms, without having to go
through SPIs etc.  That is, a class which implements an interface like
this:

interface DefaultMessageDigests {
  MessageDigest newMD5();
  MessageDigest newSHA1();
  MessageDigest newSHA256();
}

For other types of primitives, this may make less sense because they
generally have tweakable parameters.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99



More information about the security-dev mailing list