Java SE Disables MD2 Algorithm in Certification Path Building and Validation

The MD2 Message-Digest Algorithm is no longer considered secure [1][2][3][4], Java SE disables MD2 algorithm in certification path building and validation from Java SE 1.6.0_17 (6u17) [JavaSE 6u17] and Java SE 1.5.0_22 (5u22) [JavaSE 5u22].

However, even as of 2011, the MD2 algorithm remains in use in Public Key Infrastructures (PKI) as part of certificates generated with MD2 and RSA. It is recommended to request or renew a new certificate with stronger cryptographic algorithm from the Certificate Authority (CA).

[1]: Søren S. Thomsen (2008). An improved preimage attack on MD2
[2]: Knudsen, L., Mathiassen, J., Muller, F., and Thomsen, S., "Cryptanalysis of MD2", Journal of Cryptology, 23(1):72-90, 2010.
[3]: CVE-2009-2409
[4]: S. Turner, L. Chen, "MD2 to Historic Status", RFC 6149, March 2011
[JavaSE 6u17]: Java SE 6 update 17
[JavaSE 5u22]: Java SE 1.5.0 update 22

Popular posts from this blog

Java™ SE 7 Release Security Enhancements - Weak Cryptography Control

JSSE Oracle Provider Preference of TLS Cipher Suites

JEP 114: TLS SNI Extension - Virtual Servers Dispatcher