Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6561126

keytool should use larger default keysize for keypairs

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 7
    • Fix Version/s: 7
    • Component/s: security-libs
    • Subcomponent:
    • Resolved In Build:
      b72
    • CPU:
      sparc
    • OS:
      solaris_10

      Description

      Recent cryptanalysis has shown weaknesses (though not yet broken) in 1024 bit RSA keys: see http://www.theregister.com/2007/05/22/unreadable_writing_is_on_the_wall/

      We should seriously consider increasing the keytool default keysize for generating keypairs
      to 2048 for JDK 7. For DSA, this will require support for keys larger than 1024 -
      see 6560751.

        Issue Links

          Activity

          Hide
          weijun Weijun Wang added a comment -
          BT2:EVALUATION

          Inside keytool, the key pair generator calls:
          keyGen.initialize(keyBits, prng);
          pair = keyGen.generateKeyPair();
          Here, keyBits is either user specified or default to 1024 (or 256 for ECC), and prng is always a SecureRandom object. We can remove the initialize line when user has not specified a keysize. The default keysize thus will be consistent with those documented in "Java™ Cryptography Architecture
          Sun Providers Documentation".
          Show
          weijun Weijun Wang added a comment - BT2:EVALUATION Inside keytool, the key pair generator calls: keyGen.initialize(keyBits, prng); pair = keyGen.generateKeyPair(); Here, keyBits is either user specified or default to 1024 (or 256 for ECC), and prng is always a SecureRandom object. We can remove the initialize line when user has not specified a keysize. The default keysize thus will be consistent with those documented in "Java™ Cryptography Architecture Sun Providers Documentation".
          Hide
          weijun Weijun Wang added a comment -
          BT2:EVALUATION

          Change RSA default bitsize to 2948, change all SHA-1 to SHA-256.
          Show
          weijun Weijun Wang added a comment - BT2:EVALUATION Change RSA default bitsize to 2948, change all SHA-1 to SHA-256.
          Show
          weijun Weijun Wang added a comment - BT2:EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/29b076bfeafd

            People

            • Assignee:
              weijun Weijun Wang
              Reporter:
              mullan Sean Mullan
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Imported:
                Indexed: