Please Review: required security algorithms for Java SE 7 implementations

Xuelei Fan xuelei.fan at oracle.com
Sat Dec 18 07:07:28 PST 2010


>From my understanding, MD2 and MD5 is unsafe because one can forge one
thing (such as, a certificate) with different content, but the same
signature. If we continue support verification based on MD2 and MD5, it
also means that the attack with the forged certification works. We may
not be able to prevent attacks with forged thing (or certificates) any more.

Xuelei

On 12/18/2010 5:01 AM, Michael StJohns wrote:
> Is it possible to deprecate the signing part of the mechanism while requiring the verification part?
> 
> There's a whole pile of MD5withRSA and MD2withRSA root certificates.  Obviously, you don't want to support further signatures, but it would be useful if you can still verify. 
> 
> Or too much work?
> 
> Mike
> 
> 
> 
> At 03:35 PM 12/17/2010, Sean Mullan wrote:
>> On 12/16/10 1:26 PM, Sean Mullan wrote:
>>>>> On 12/15/10 10:38 AM, Florian Weimer wrote:
>>>> Oh, and I just realized that MD5 and HmacMD5 are missing. These
>>>> algorithms are still heavily used (and HmacMD5 is not really broken,
>>>> it's only guilty by association).
>>>
>>> Yes, MD5 is still in use, but I think it is decreasing in use significantly. Can
>>> you give more rationale, for example data that would suggest that not making
>>> these algorithms a requirement would affect a significant number of Java
>>> applications or where SHA-1/HmacSHA1 would not be an adequate alternative?
>>>
>>> Also, just FYI but we have no plans to remove support for MD5 and HmacMD5 from
>>> OpenJDK.
>>
>> It was pointed out to me that TLS 1.0 requires MD5 and HmacMD5. Since we have listed TLS 1.0 as a requirement, then those should really be added to the required algorithms list. So, I've added those to the list and posted a new version at:
>>
>> http://cr.openjdk.java.net/~mullan/5001004/review.01/StandardNames.html#impl
>>
>> --Sean
> 
> 




More information about the security-dev mailing list