JDK-8233607 : Remove algorithms that use MD5 or DES from security requirements
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 14
  • Submitted: 2019-11-05
  • Updated: 2019-11-13
  • Resolved: 2019-11-13
Related Reports
CSR :  
JDK-8214483 - Remove algorithms that use MD5 or DES from security requirements
Description
Summary
-------

Remove Java SE requirements to implement security algorithms based on DES or MD5. 

Problem
-------

To improve portability and interoperability, Java SE implementations are required to support a minimum set of cryptographic algorithms for various security APIs. It makes sense to periodically review these requirements and remove algorithms or modes that are known to be weak and of which usage has declined significantly, such as DES and MD5.

Solution
--------

Remove Java SE requirements to implement security algorithms based on DES or MD5 from various security APIs. The relevant classes are:
  
  * java.security.AlgorithmParameters
  * java.security.MessageDigest
  * javax.crypto.Cipher
  * javax.crypto.KeyGenerator
  * javax.crypto.Mac
  * javax.crypto.SecretKeyFactory

These requirements will also be removed from the Security Algorithm Implementation Requirements section of the Java Security Standard Algorithm Names specification.

Specification
-------------

See attached webrev-01.zip.
Comments
Moving to Approved. I assume these changes are consistent with guidance given in the crypto roadmap.
13-11-2019
Review thread: https://mail.openjdk.java.net/pipermail/security-dev/2019-November/020862.html
12-11-2019