DSA default algorithm for keytool -genkeypair. Bad choice?
Sean Mullan
sean.mullan at oracle.com
Wed Oct 10 11:59:55 UTC 2018
On 10/10/18 6:23 AM, Severin Gehwolf wrote:
> Hi,
>
> What is the rationale of using DSA keys (2048 bit) as default for
> genkeypair command?
> http://hg.openjdk.java.net/jdk/jdk/file/c4a39588a075/src/java.base/share/classes/sun/security/tools/keytool/Main.java#l1120
There is really no other reason other than DSA keys have been the
default keypairs generated by keytool for a long time, so there are some
compatibility issues we would have to think through before changing it
to another algorithm such as RSA. Weijun might have more insight into that.
> It seems a bad choice given that DSA keys are disabled via Fedora's
> crypto policy (not just OpenJDK, but other crypto providers too).
Actually, only DSA keys < 1024-bit are disabled by default in OpenJDK.
> Here the explanation from Nikos Mavrogiannopoulos from a Fedora bug[1]
> as to why that's a bad choice:
>
> """
> DSA is not used by new security protocols any more (doesn't exist as a
> negotiation option under TLS1.3), and was a very rarely used option
> under previous protocols (TLS1.2 or earlier). In fact only DSA-1024 is
> documented under these protocols. DSA-2048 may or may not work
> depending on the implementation (and even worse may not interoperate).
> """
>
> Could the default choice of keyalg for genkeypair be reconsidered?
Yes, I think it should be considered since DSA is rarely used anymore
and not supported by newer security protocols such as TLS 1.3. I have
filed: https://bugs.openjdk.java.net/browse/JDK-8212003
--Sean
> If not, why not?
>
> Thanks,
> Severin
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1582253
>
More information about the security-dev
mailing list