Integrated: 8267319: Use larger default key sizes and algorithms based on CNSA

Valerie Peng valeriep at openjdk.java.net
Thu Mar 24 22:53:56 UTC 2022


On Wed, 2 Mar 2022 00:13:41 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> It's been several years since we increased the default key sizes. Before shifting to PQC, NSA replaced its Suite B cryptography recommendations with the Commercial National Security Algorithm Suite which suggests:
> 
> - SHA-384 for secure hashing
> - AES-256 for symmetric encryption
> - RSA with 3072 bit keys for digital signatures and for key exchange
> - Diffie Hellman (DH) with 3072 bit keys for key exchange
> - Elliptic curve [P-384] for key exchange (ECDH) and for digital signatures (ECDSA)
> 
> So, this proposed changes made the suggested key size and algorithm changes. The changes are mostly in keytool, jarsigner and their regression tests, so @wangweij Could you please take a look?
> 
> Thanks!

This pull request has now been integrated.

Changeset: 313bc7f6
Author:    Valerie Peng <valeriep at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/313bc7f64f69d8f352d495d2c35bea62aca910e4
Stats:     504 lines in 29 files changed: 326 ins; 8 del; 170 mod

8267319: Use larger default key sizes and algorithms based on CNSA

Reviewed-by: weijun, xuelei

-------------

PR: https://git.openjdk.java.net/jdk/pull/7652



More information about the security-dev mailing list