Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8015328

Generate 2048 bit RSA and DSA keys by default

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: P3
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: 9
    • Component/s: security-libs

      Description

      Per NIST SP 800-57 recommendation [1], RSA/DSA keys less than 1024 bits is only allowed for legacy use since 2014, and deprecated since 2011. The RSA key pair generation is till using 1024 bits as the default key size:

          public RSAKeyPairGenerator() {
              // initialize to default in case the app does not call initialize()
              initialize(1024, null);
          }

      We may also need to check the code for DSA and DH.

      We may want to make an improvement to use 2048 bits keys by default in JDK 8.

      [1] http://sim.ivi.co/2012/04/nist-security-strength-time-frames.html

        Issue Links

          Activity

          Hide
          xuelei Xue-Lei Fan added a comment -
          [Sean Mullan] I think this is a good idea and we should increase it to 2048. This change does seem to be acceptable since it is provider-specific as defined by the KeyPairGenerator API, but we should file a CCC since it is a behavior change.
          Show
          xuelei Xue-Lei Fan added a comment - [Sean Mullan] I think this is a good idea and we should increase it to 2048. This change does seem to be acceptable since it is provider-specific as defined by the KeyPairGenerator API, but we should file a CCC since it is a behavior change.

            People

            • Assignee:
              mullan Sean Mullan
              Reporter:
              xuelei Xue-Lei Fan
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: