RFR: 8267319: Use larger default key sizes and algorithms based on CNSA [v6]
Valerie Peng
valeriep at openjdk.java.net
Wed Mar 16 00:33:43 UTC 2022
On Tue, 15 Mar 2022 20:51:25 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> It's been several years since we increased the default key sizes. Before shifting to PQC, NSA replaced its Suite B cryptography recommendations with the Commercial National Security Algorithm Suite which suggests:
>>
>> - SHA-384 for secure hashing
>> - AES-256 for symmetric encryption
>> - RSA with 3072 bit keys for digital signatures and for key exchange
>> - Diffie Hellman (DH) with 3072 bit keys for key exchange
>> - Elliptic curve [P-384] for key exchange (ECDH) and for digital signatures (ECDSA)
>>
>> So, this proposed changes made the suggested key size and algorithm changes. The changes are mostly in keytool, jarsigner and their regression tests, so @wangweij Could you please take a look?
>>
>> Thanks!
>
> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
>
> Removed NPE from the catch statement.
Could you please please review CSR at: https://bugs.openjdk.java.net/browse/JDK-8282995
Thanks!
-------------
PR: https://git.openjdk.java.net/jdk/pull/7652
More information about the security-dev
mailing list