RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms

Weijun Wang weijun at openjdk.java.net
Thu Oct 1 20:09:16 UTC 2020


On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.

TBD: We bumped iteration counts for PBE and HMAC to 50000 and 100000 when we were using weak algorithms. Now that the
algorithms are strong, we can consider lower them. Currently, openssl 3.0.0 uses 2048 and Windows Server 2019 uses 2000.

-------------

PR: https://git.openjdk.java.net/jdk/pull/473



More information about the security-dev mailing list