Adding NIST recommendation for RSA

Author: WesleyRosenblum

src/examples/java/com/amazonaws/crypto/examples/keyring/awskms/DiscoveryDecryptWithPreferredRegions.java

@@ -92,7 +92,7 @@ public static void run(final AwsKmsCmkId awsKmsCmk, final byte[] sourcePlaintext
 
         // Finally, combine those two keyrings into a multi-keyring.
         //
-        // The multi-keyring steps through its member keyrings in the order that you provider them,
+        // The multi-keyring steps through its member keyrings in the order that you provide them,
         // attempting to decrypt every encrypted data key with each keyring before moving on to the next keyring.
         // Because of this, otherRegionsDecryptKeyring will not be called
         // unless localRegionDecryptKeyring fails to decrypt every encrypted data key.
@@ -109,7 +109,7 @@ public static void run(final AwsKmsCmkId awsKmsCmk, final byte[] sourcePlaintext
         // Demonstrate that the ciphertext and plaintext are different.
         assert !Arrays.equals(ciphertext, sourcePlaintext);
 
-        // Decrypt your encrypted data using the multi keyring.
+        // Decrypt your encrypted data using the multi-keyring.
         //
         // We do not need to specify the encryption context on decrypt
         // because the header message includes the encryption context.

src/examples/java/com/amazonaws/crypto/examples/keyring/awskms/MultipleRegions.java

@@ -37,7 +37,7 @@
 public class MultipleRegions {
 
     /**
-     * Demonstrate an encrypt/decrypt cycle using a KMS keyring with a single CMK.
+     * Demonstrate an encrypt/decrypt cycle using a KMS keyring with CMKs in multiple regions.
      *
      * @param awsKmsGeneratorCmk   The ARN of an AWS KMS CMK that protects data keys
      * @param awsKmsAdditionalCmks Additional ARNs of secondary KMS CMKs

src/examples/java/com/amazonaws/crypto/examples/keyring/multi/AwsKmsWithEscrow.java

@@ -62,7 +62,9 @@ public static void run(final AwsKmsCmkId awsKmsCmk, final byte[] sourcePlaintext
         // Generate an RSA key pair to use with your keyring.
         // In practice, you should get this key from a secure key management system such as an HSM.
         final KeyPairGenerator kg = KeyPairGenerator.getInstance("RSA");
-        kg.initialize(4096); // Escrow keys should be very strong
+        // The National Institute of Standards and Technology (NIST) recommends a minimum of 2048-bit keys for RSA.
+        // https://www.nist.gov/publications/transitioning-use-cryptographic-algorithms-and-key-lengths
+        kg.initialize(4096);
         final KeyPair keyPair = kg.generateKeyPair();
 
         // Create the encrypt keyring that only has access to the public key.

src/examples/java/com/amazonaws/crypto/examples/keyring/rawrsa/PublicPrivateKeySeparate.java

@@ -58,7 +58,9 @@ public static void run(final byte[] sourcePlaintext) throws GeneralSecurityExcep
         // Generate an RSA key pair to use with your keyring.
         // In practice, you should get this key from a secure key management system such as an HSM.
         final KeyPairGenerator kg = KeyPairGenerator.getInstance("RSA");
-        kg.initialize(4096); // Escrow keys should be very strong
+        // The National Institute of Standards and Technology (NIST) recommends a minimum of 2048-bit keys for RSA.
+        // https://www.nist.gov/publications/transitioning-use-cryptographic-algorithms-and-key-lengths
+        kg.initialize(4096);
         final KeyPair keyPair = kg.generateKeyPair();
 
         // Create the keyring that determines how your data keys are protected.

src/examples/java/com/amazonaws/crypto/examples/keyring/rawrsa/RawRsa.java

@@ -48,7 +48,9 @@ public static void run(final byte[] sourcePlaintext) throws GeneralSecurityExcep
         // Generate an RSA key pair to use with your keyring.
         // In practice, you should get this key from a secure key management system such as an HSM.
         final KeyPairGenerator kg = KeyPairGenerator.getInstance("RSA");
-        kg.initialize(4096); // Escrow keys should be very strong
+        // The National Institute of Standards and Technology (NIST) recommends a minimum of 2048-bit keys for RSA.
+        // https://www.nist.gov/publications/transitioning-use-cryptographic-algorithms-and-key-lengths
+        kg.initialize(4096);
         final KeyPair keyPair = kg.generateKeyPair();
 
         // Create the keyring that determines how your data keys are protected.

src/examples/java/com/amazonaws/crypto/examples/legacy/EscrowedEncryptExample.java

@@ -153,7 +153,9 @@ private static void escrowDecrypt(final String fileName) throws Exception {
 
     private static void generateEscrowKeyPair() throws GeneralSecurityException {
         final KeyPairGenerator kg = KeyPairGenerator.getInstance("RSA");
-        kg.initialize(4096); // Escrow keys should be very strong
+        // The National Institute of Standards and Technology (NIST) recommends a minimum of 2048-bit keys for RSA.
+        // https://www.nist.gov/publications/transitioning-use-cryptographic-algorithms-and-key-lengths
+        kg.initialize(4096);
         final KeyPair keyPair = kg.generateKeyPair();
         publicEscrowKey = keyPair.getPublic();
         privateEscrowKey = keyPair.getPrivate();