JDK-6561126 : keytool should use larger default keysize for keypairs
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris_10
  • CPU: sparc
  • Submitted: 2007-05-23
  • Updated: 2017-05-16
  • Resolved: 2009-07-31
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7 b72Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Recent cryptanalysis has shown weaknesses (though not yet broken) in 1024 bit RSA keys: see http://www.theregister.com/2007/05/22/unreadable_writing_is_on_the_wall/

We should seriously consider increasing the keytool default keysize for generating keypairs
to 2048 for JDK 7. For DSA, this will require support for keys larger than 1024 - 
see 6560751.

EVALUATION Change RSA default bitsize to 2948, change all SHA-1 to SHA-256.

EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/29b076bfeafd

EVALUATION Inside keytool, the key pair generator calls: keyGen.initialize(keyBits, prng); pair = keyGen.generateKeyPair(); Here, keyBits is either user specified or default to 1024 (or 256 for ECC), and prng is always a SecureRandom object. We can remove the initialize line when user has not specified a keysize. The default keysize thus will be consistent with those documented in "Java��� Cryptography Architecture Sun Providers Documentation".