Re: RFR [14] 8214483: Remove algorithms that use MD5, DES, or ECB from security requirements

Fri, 08 Nov 2019 04:50:29 -0800 

On 11/7/19 7:41 PM, Mike StJohns wrote:

You deleted DES but not DESede.   Was that intentional?


Yes. Bernd had a similar question and I earlier replied:

On 11/6/19 3:05 PM, Bernd Eckenfels wrote:

> On the other hand, requiring 3DES might really not be a requirement 
anymore, while at it remove it, also?



I did think about that, but industry-wide deprecation of 3DES is more 
recent than DES. I would like to hold off on that for now until we 
understand the compatibility risk a little better for certain components 
such as Kerberos.


--Sean



Sent from my iPad


On Nov 7, 2019, at 17:12, Sean Mullan <sean.mul...@oracle.com> wrote:

Ok, I have put back the Cipher algorithms with ECB mode that I had previously 
removed (except for DES/ECB which is still removed).

Updated webrev: https://cr.openjdk.java.net/~mullan/webrevs/8214483/webrev.01/

--Sean


On 11/6/19 5:43 PM, Michael StJohns wrote:

On 11/6/2019 11:27 AM, Sean Mullan wrote:
Please remove this change to remove the Java SE requirements to implement 
security algorithms based on DES, MD5, or ECB. It makes sense to periodically 
review these requirements and remove algorithms or modes that are known to be 
weak and of which usage has declined significantly and thus compatibility risk 
is much lower.

Note that we are not removing the actual implementations of these algorithms 
from the JDK. This just means that an SE implementation is not required to 
support these algorithms.

webrev: https://cr.openjdk.java.net/~mullan/webrevs/8214483/webrev.00/
CSR: https://bugs.openjdk.java.net/browse/JDK-8233607

Thanks,
Sean


I don't have a problem with removing  DES or MD5 from the must-implement list, 
but ECB is a fundamental building block mode.  It's going to be how you 
implement a new mode before there's specific support for that mode.   Pretty 
much any mode can be implemented using ECB as its only real crypto operation.   
E.g. CBC, CTR, CCM, GCM, CFB, OFB etc are all wrapped around ECB in some form.  
 Please continue to require that it be implemented. Policy MAY restrict the use 
of the mode for a given key, but that's a provider issue.
Mike
























					Reply via email to