RFR [14] 8214483: Remove algorithms that use MD5, DES, or ECB from security requirements
Sean Mullan
sean.mullan at oracle.com
Thu Nov 7 22:11:48 UTC 2019
Ok, I have put back the Cipher algorithms with ECB mode that I had
previously removed (except for DES/ECB which is still removed).
Updated webrev:
https://cr.openjdk.java.net/~mullan/webrevs/8214483/webrev.01/
--Sean
On 11/6/19 5:43 PM, Michael StJohns wrote:
> On 11/6/2019 11:27 AM, Sean Mullan wrote:
>> Please remove this change to remove the Java SE requirements to
>> implement security algorithms based on DES, MD5, or ECB. It makes
>> sense to periodically review these requirements and remove algorithms
>> or modes that are known to be weak and of which usage has declined
>> significantly and thus compatibility risk is much lower.
>>
>> Note that we are not removing the actual implementations of these
>> algorithms from the JDK. This just means that an SE implementation is
>> not required to support these algorithms.
>>
>> webrev: https://cr.openjdk.java.net/~mullan/webrevs/8214483/webrev.00/
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8233607
>>
>> Thanks,
>> Sean
>>
>
> I don't have a problem with removing DES or MD5 from the must-implement
> list, but ECB is a fundamental building block mode. It's going to be
> how you implement a new mode before there's specific support for that
> mode. Pretty much any mode can be implemented using ECB as its only
> real crypto operation. E.g. CBC, CTR, CCM, GCM, CFB, OFB etc are all
> wrapped around ECB in some form. Please continue to require that it be
> implemented. Policy MAY restrict the use of the mode for a given key,
> but that's a provider issue.
>
> Mike
>
>
More information about the security-dev
mailing list