JDK 6 Security Enhancements
The Java Platform has added support for the following Security
functionality in version 6:
- Mixing Signed and Unsigned Code
As of the Java SE 6 Update 19 release (or later), a warning dialog
is raised when a Java Web Start application or applet contains both
signed and unsigned components. See Mixing Privileged Code and Sandbox Code for
more information.
- JSR 105, the XML Digital Signature API and
implementation
For details, see the XML Digital
Signature API Specification and the XML Digital Signature API
Overview and Tutorial
- JSR 268, Smart Card I/O API
Sun's Java SE 6 implementation bundles the Smart Card I/O
API defined by JSR 268 as well as a
provider called SunPCSC which uses the
platform's native PC/SC Smart Card stack, if available. Note that
neither the API nor the SunPCSC provider are part of the Java SE 6
platform specification and may not be present on other compliant
Java SE implementations.
- Elliptic Curve Cryptography (ECC) in SunPKCS11
The SunPKCS11 provider now exposes ECC algorithms if the underlying
PKCS#11 token supports them. This include ECDSA signing and
verification, ECDH key agreement, and generation of EC keypairs.
For more information about the supported mechanisms, see the
supported algorithms section in the PKCS#11 reference guide.
- Elliptic Curve CipherSuites in SunJSSE
The SunJSSE now supports the ECC ciphersuites defined in RFC 4492,
if a suitable crypto provider is available (for example, SunPKCS11
with an appropriate PKCS#11 library). For more information, see the
list of supported
ciphersuites and their requirements.
- Access Network Security Services (NSS) using
SunPKCS11
The SunPKCS11 provider supports new configuration directives which
allow it to access the NSS security library. This enables Java
applications to read keys stored in the NSS database files, use ECC
algorithms, and to use the NSS Softtoken as a FIPS 140 compliant
cryptography provider. For more information see the NSS section in the PKCS#11 guide.
- FIPS 140 compliance for SunJSSE
The SunJSSE provider now supports an experimental FIPS 140
compliant mode. When enabled and used in combination with the
SunPKCS11 provider and an appropriate FIPS 140 certified PKCS#11
token, SunJSSE is FIPS 140 compliant. For details, see the JSSE Reference Guide.
- Pluggability restrictions have been removed from
JSSE
In earlier releases, the JSSE framework did not allow 3rd party
JSSE providers that implemented non-standard ciphersuites due to
export control issues.
- Socket read timeouts are fully supported by SunJSSE
SSLSockets
In previous releases, calling setSoTimeout()
would
sometimes lead to unpredictable results. This has been
corrected.
- Cipher Text Stealing (CTS) mode added to SunJCE block
ciphers
CTS is described in Bruce Schneier's book "Applied
Cryptography-Second Edition", John Wiley & Sons, 1996 (pg.
195-196), and is used by some Kerberos implementations.
- New
PBKDF2WithHmacSHA1 Secretkeyfactory
algorithm added to SunJCE
Constructs secret keys using the Password-Based Key Derivation
Function function found in PKCS5 v2.0.
- Removed the 2048 RSA keysize limit from
local_policy.jar
Implementations were previously restricted from obtaining RSA keys
larger than 2048 bits without installing the unlimited crypto
policy files.
- New Certification Authority (CA) certificates
added
A number of new CA certificates were added to the default system
lib/security/cacerts
file. See the keytool docs for the
complete list of CA certificates.
- Added Two New Options to
jarsigner
Tool
Options -digestalg
and -sigalg
have been
added to the jarsigner tool to allow users to override the default
signature and digest algorithms when signing a jar file
- New Options for
keytool
Tool
Options -genseckey
and -importkeystore
have been added to the keytool tool to allow users to generate a
SecretKey inside a keystore and copy entries from one keystore to
another. Options -genkey
, -import
and
-export
have been renamed to -genkeypair
,
-importcert
and -exportcert
.
- User-Entered Passwords no longer echoed on the
screen
Security tools like keytool
/jarsigner
,
and the JAAS login authentication modules use the new
java.io.Console
class so that user-entered passwords
are no longer echoed on the screen.
- Support for AES Encryption Type in Java
GSS/Kerberos
Support for AES encryption type (AES128 and AES256) in Java
GSS/Kerberos is available. This improves interoperability of the
Java SE Kerberos implementation with other Kerberos
implementations, such as Solaris 10 and MIT Kerberos. For details,
see Java GSS Security
Features.
- Support for RC4-HMAC Encryption Type in Java
GSS/Kerberos
Support for RC4-HMAC encryption type in Java GSS/Kerberos is
available. This improves interoperability of the Java SE Kerberos
implementation with other Kerberos implementations, such as
Windows, Solaris 10 and MIT Kerberos. Windows Active Directory
supports RC4-HMAC as the default Kerberos encryption type. For
details, see Java GSS Security
Features.
- Support for SPNEGO in Java GSS
Support for SPNEGO mechanism in Java GSS is now available. The
Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is a
pseudo security mechanism that enables GSS-API peers to securely
negotiate a common security mechanism to be used.
Support for SPNEGO authentication scheme in HTTP is also available.
For details, see Java GSS
Security Features.
- Support for new Pre-Authentication Mechanisms
Java GSS/Kerberos now includes support for the new
pre-authentication mechanisms as described in the latest Kerberos
specification. For details, see Java GSS Security Features.
- Native Platform GSS Integration
This feature allows Java GSS applications to take advantage of
features in the native GSS implementation available on the
platform. For details, see Java
GSS Security Features.
- Access to native PKI and cryptographic services on Microsoft
Windows
Added the SunMSCAPI JCE
provider which uses the Microsoft CryptoAPI (CAPI) to offer a
variety of RSA cryptographic functions. It acts as a bridge between
Java applications and the services offered by the default RSA
cryptographic service provider available via CAPI. It provides
access to X.509 certificates and RSA key pairs, it performs RSA
encryption and decryption, and it creates and validates RSA
signatures. It also supports a cryptographic random number
generator.
- Enhancements to the implementation of PKI Certificate Path
Validation
Added support for segmented and indirect CRLs, resulting in
improved performance and improved PKIX compliance (RFC 3280).
- JAAS-based authentication using LDAP
Added a JAAS login module which enables users to perform
authentication using credentials stored in an LDAP directory
service. It provides a drop-in solution for existing JAAS-enabled
applications that wish to support authentication using LDAP. See
LDAPLoginModule for more information.
- Default SSLContext
Added the static method getDefault()
and
setDefault()
to SSLContext.
getDefault()
returns the default SSLContext, which is
initialized in an implementation specific fashion, for example
using system properties. setDefault()
allows an
application to programmatically set the default context to any
initialized SSLContext object.
- SSLParameters
The new SSLParameters
class encapsulates the configuration parameters of an SSL endpoint,
in particular the ciphersuites, protocol versions, and for servers
the client authentication requirements. They can be applied with a
single call to SSLSocket.setSSLParameters()
or
SSLEngine.setSSLParameters()
.