4. Image by EdenMoon from Pixabay
What Significant Changes
Occurred in JDK Security after
Java 17?
5. JDK Security Impact
☕ Over time, most algorithms weaken and can be exploited more easily.
☕ Lifetime of a JDK release can outlast the viable lifetime of many cryptographic algorithms.
☕ The Java Platform continuously gets enhancements to its tooling, supported cryptographic
algorithms and protocols.
☕ All changes are done for you to build and deploy applications that use modern and strong
algorithms and protocols.
13. First Post-Quantum Cryptography
Algorithms in OpenJDK
☕ Leighton-Micali Signature system (LMS) is a stateful hash-based signature (HBS) scheme.
☕ The Hierarchical Signature System (HSS) is the multi-tree variant of LMS.
☕ HSS/LMS is one of the two quantum resistant signature algorithms standardized by NIST.
☕ As use cases, HSS/LMS is suitable for software or firmware signing .
☕ HMS/LMS key and signature generation should be performed on hardware.
14. HSS/LMS Signature Verification
Implementation ㉑
HSS/LMS is the multi-tree
variant of the
Leighton-Micali (LMS)
system
New KeyFactory and
Signature verification
implementation of HSS/LMS
Only Signature verification
is supported *
* signature generation should be performed in hardware only
15. Read a HSS/LMS Public Key from its
Serialized Format
// Verification provider may be different,
// so convert encoded public key into a type it supports
var ALG = "HSS/LMS";
var instance = KeyFactory.getInstance(ALG);
var keySpec = new X509EncodedKeySpec(encodedPublicKey);
var generatedPublicKey = instance.generatePublic(keySpec);
16. Verify the Validity of a Signature that
Uses HSS/LMS Algorithm
// Verification provider may be different,
// so convert encoded public key into a type it supports
var ALG = "HSS/LMS";
var msg = "hello, world".getBytes(StandardCharsets.UTF_8);
var instance = KeyFactory.getInstance(ALG);
var keySpec = new X509EncodedKeySpec(encodedPublicKey);
var generatedPublicKey = instance.generatePublic(keySpec);
var signature = Signature.getInstance(ALG);
signature.initVerify(generatedPublicKey);
signature.update(msg);
System.out.println(signature.verify(sig));
18. SHA-1 JARs are Disabled by Default ⑱
$ jarsigner -verify -verbose old.jar
57 Wed Jul 12 14:25:08 EDT 2023 META-INF/MANIFEST.MF
249 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.SF
2005 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.RSA
m ? 1 Wed Jul 12 14:24:16 EDT 2023 A
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
? = unsigned entry
- Signed by "CN=signer"
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA256withRSA, 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the
security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
Change introduced in JDK 18, backported to CPU 22_10
19. Disabled Weak TLS Algorithms
☕ 3DES cipher suites have been removed from the default enabled TLS cipher suites. ⑲
☕ TLS_ECDH cipher suites are disabled because they do not preserve forward-secrecy. ⑳
☕ The DTLS 1.0 protocol has various weaknesses and is no longer recommended. ⑳
20. Restriction Rules for Weak Algorithms
☕ In krb5.conf for Kerberos since that's the standard way among Kerberos vendors.
☕ As security properties in the $JDK_HOME/conf/security/java.security file for:
☕ JAR verification
☕ CertPath and
☕ TLS
21. Removed Weak Kerberos Encryption
Types
#krb5.conf
[libdefaults]
allow_weak_crypto = false
permitted_enctypes =
es256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
des3-cbc-sha1 …
☕ DES,3DES and RC4 have been removed
from the default list of Kerberos encryption
types. ⑱
⛔ If allow_weak_crypto = true, any of the
weak encryption types could then be used!
☕ You can selectively enable weak algorithms in
Kerberos, by specifically adding the weak
algorithm(s) name to permitted_enctypes in
krb5.conf.
22. Image by EdenMoon from Pixabay
Re-enabling Any Weak Encryption
Type is NOT Recommended and
You Do That at Your Own Risk!
24. The Security Manager Influence
☕ Originally designed as a sandbox for running potentially untrusted applets.
☕ Later enhanced to support a fine-grained permission model.
☕ Was not widely used and JDK 17 deprecated for removal the Security Manager (JEP 411).
☕ Several APIs related to the Security Manager were deprecated for removal.
☕ Since JDK 18 the java.security.manager system property has disallow default value.
26. Replacement of JAAS APIs ⑱
☕ Some JAAS APIs depend on Security Manager related API.
☕ JEP 411 outlined plans to provide replacement JAAS APIs.
🆕 Subject::callAs() is a replacement for JAAS Subject::doAs() API.
🆕 Subject::current() is a replacement for JAAS Subject::getSubject()API.
29. APIs to Customize TLS and DTLS
Signature Schemes ⑲
SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
String[] sigSchemes = {"rsa_pkcs1_sha512", "rsa_pkcs1_sha384"};
sslParams.setSignatureSchemes(sigSchemes);
New javax.net.ssl.SSLParameters::setSignatureSchemes
30. APIs to Customize TLS and DTLS Named
Groups ⑳
SSLParameters params = new SSLParameters();
params.setNamedGroups(new String[] { "x25519", "secp256r1" });
New javax.net.ssl.SSLParameters::setNamedGroups
32. Key Encapsulation Mechanism (KEM)
☕ Also a scheme with public and private keys.
☕ The sender has receiver’s public key.
☕ KEM uses properties of the public key to derive a related symmetric key.
☕ The two parties can securely negotiate a shared secret.
☕ The shared secret can then be used in secure communication with a symmetric cipher.
34. Key Encapsulation Mechanism API ㉑
☕ Key pair generation function
This function is already covered by the KeyPairGenerator API.
☕ Key encapsulation
Encapsulate(public_key) -> key_encapsulation_message, shared_secret
☕ Key decapsulation
Decapsulate(private_key, key_encapsulation_message) -> shared_secret
35. Support for the EdDSA Signature
Algorithm in XML Signatures ㉑
☕ XML Signatures can now be signed or verified with the EdDSA algorithm.
🆕 Standard SignatureMethod URIs
🆕 SignatureMethod.ED25519
🆕 SignatureMethod.ED448
Also backported to JDK 8u,11u, 17u
36. Toggle XML Signature Secure Validation Mode㉑
☕ Secure processing mode is enabled by default.
☕ Stricter constraints for validating XML signatures are defined by a new security property.
🆕 jdk.xml.dsig.secureValidationPolicy security property
☕ If org.jcp.xml.dsig.secureValidation=true, validation of XML signatures is subject to stricter
constraints as defined by jdk.xml.dsig.secureValidationPolicy.
Also backported to JDK 8u,11u, 17u
37. Fine Tune Usage of XPath here()Function ㉑
<!-- select node-sets for use in XPath
transforms..-->
<XPath xmlns:dsig="&dsig;">
count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
count(ancestor-or-self::dsig:Signature)</XPat
h>
☕ here() is not a standard XPath function
🆕 jdk.xml.dsig.hereFunctionSupported
☕ The security property has default value true.
Also backported to JDK 8u,11u, 17u
41. MacOS KeychainStore Can Show Only
Trusted Certificates ㉑
KeyStore keyStore = KeyStore.getInstance("KeychainStore", "Apple");
keyStore.load(null, null);
keyStore.aliases().asIterator().forEachRemaining(System.out::println);
System.out.println("size:" + keyStore.size());
// before JDK 21 prints user domain certificates
// JDK 21+, prints proper trust certificates in user and/or admin domain
Change backported to JDK 11, 17
42. Updates to the JDK cacerts File
☕ No longer uses obsolete proprietary JKS format
☕ Uses password-less PKCS12 format
☕ Public certificates no longer encrypted
☕ No longer need to specify/change a default password (“changeit”)
44. Keytool Improvements (1)
☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified
$ keytool -genkeypair -keyalg RSA -keystore keystore
...
Generating 3.072 bit RSA key pair and self-signed certificate
(SHA384withRSA) with a validity of 90 days
45. Keytool Improvements (2)
☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified.
☕ -genseckey and -importpass options warn when using weak password-based encryption
algorithms. ㉑
$ keytool -genseckey -alias secret -keypass changeit -keyalg RC4
-keysize 128 -keystore example.p12 -storepass changeit
-storetype PKCS12 -v
Generated 128-bit ARCFOUR secret key [Storing example.p12]
Warning: The generated secret key uses the ARCFOUR algorithm which is
considered a security risk.
46. Jarsigner Improvements
☕ Strengthens the default digest and signature algorithms when signing.
☕ SHA-1 JARs are disabled by default (except those timestamped prior to 2019-01-01).
☕ Specify the class path of an alternate keystore implementation via –providerPath. ⑲
$ jarsigner -keystore keystore -storetype CUSTOMKS
-providerPath /path/to/test.myks
-providerClass my.custom.AnotherProvider
signed.jar mykey
47. Recording Initial Security Properties With
JDK Flight Recorder
🆕 jdk.InitialSecurityProperty cryptographic event
☕ Enabled by default in default.jfc and profile.jfc.
☕ Captures info on initial security properties when loaded via java.security.Security class.
48. Disabling Initial Security Properties Event
$ jfr configure jdk.InitialSecurityProperty#enabled=false
# or on launch
$ java -XX:StartFlightRecording:settings=none,
+jdk.InitialSecurityProperty#enabled=false
49. Recording Details About Security Provider
Instance Requests
🆕 jdk.SecurityProviderService cryptographic event
☕ Disabled by default in default.jfc and profile.jfc.
☕ Records info on java.security.Provider.getService(…) calls.
50. Enabling Security Provider Instance
Requests Event
$ jfr configure jdk.SecurityProviderService#enabled=true
# or on launch
$ java -XX:StartFlightRecording:settings=none,
+jdk.SecurityProviderService#enabled=true
52. Java Crypto Roadmap
(https://java.com/cryptoroadmap)
☕ Informs the public about upcoming security changes to update releases.
☕ Each change improves security in some way:
☕ Restrict or disable a weak algorithm,
☕ A default can be changed to a stronger setting,
☕ Support for a stronger algorithm can be added,
☕ Or improve tools to help you diagnose security issues.
☕ Yet, a change may have some compatibility risk:
☕ Advance notice (usually 3-6 months), except in case of a severe vulnerability.
☕ Testing instructions, if applicable.
53. Stay Tuned for More
Inside.java
Dev.java youtube.com/java
54. Useful Links
☕ JEP 411 about deprecation of the Security Manager for removal https://openjdk.org/jeps/411
☕ Sean Mullan’s blog on JDK security changes: https://seanjmullan.org/blog/
☕ Java Security Standard Algorithm Names https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html
☕ Java Security Guide https://docs.oracle.com/en/java/javase/21/security/java-security-overview1.html
☕ Java CryptoRoadmap https://www.java.com/en/jre-jdk-cryptoroadmap.html
☕ Java 21 Tool Enhancements: Better Across the Board #RoadTo21 https://www.youtube.com/embed/nFJBVuaIsRg
☕ Java 21 Security Updates #RoadTo21 https://www.youtube.com/embed/kSjdZZsHM04