SlideShare a Scribd company logo

From Java 17 to 21- A Showcase of JDK Security Enhancements

Ana-Maria Mihalceanu
Ana-Maria Mihalceanu

Contains significant JDK security changes between JDK 18 to JDK 21.

Technology
1 of 54
Download to read offline
From Java 17 to 21 A Showcase of JDK Security Enhancements
Java Champion Alumni, Certified Architect Senior Developer Advocate at Oracle Passionate about solving complex scenarios involving Java and Kubernetes. ammbra1508 ammbra1508.mastondon.social
6-Month Release Cadence
Image by EdenMoon from Pixabay What Significant Changes Occurred in JDK Security after Java 17?
JDK Security Impact ☕ Over time, most algorithms weaken and can be exploited more easily. ☕ Lifetime of a JDK release can outlast the viable lifetime of many cryptographic algorithms. ☕ The Java Platform continuously gets enhancements to its tooling, supported cryptographic algorithms and protocols. ☕ All changes are done for you to build and deploy applications that use modern and strong algorithms and protocols.
Java Security Overview
Java Security Components (1) Java Language and Runtime Security Cryptography (JCA/JCE) PKI SASL XML Signature GSSAPI/Kerberos Authn/Authz (JAAS) keytool jarsigner kinit, klist, ktab Tools APIs and Libraries TLS/DTLS (JSSE) Signed JARs
Java Security Components (2) Java Language and Runtime Security Cryptography (JCA/JCE) PKI SASL XML Signature GSSAPI/Kerberos Authn/Authz (JAAS) keytool jarsigner kinit, klist, ktab Tools APIs and Libraries TLS/DTLS (JSSE) Signed JARs
Image by Myriams-Fotos from Pixabay
Modern Cryptographic Algorithms
Larger Key Sizes to Improve Resilience Algorithm Specification Before JDK 19 In JDK 20 & 21 AES Cipher FIPS Pub 197 128 bit 256 bit (if allowed by policy) ECDH NIST SP 800-56A Curve P-256 Curve P-384 ECDSA Signature FIPS Pub 186-4 Curve P-256 Curve P-384 SHA MessageDigest FIPS Pub 180-4 SHA-256 SHA-384 DH KevExchange IETF RFC 3526 2048-bit 3072-bit RSA/RSAPSS Signature NIST SP 800-56B rev 1 2048-bit 3072-bit
Image by TheDigitalArtist from Pixabay A Potential Threat of Quantum Computers?
First Post-Quantum Cryptography Algorithms in OpenJDK ☕ Leighton-Micali Signature system (LMS) is a stateful hash-based signature (HBS) scheme. ☕ The Hierarchical Signature System (HSS) is the multi-tree variant of LMS. ☕ HSS/LMS is one of the two quantum resistant signature algorithms standardized by NIST. ☕ As use cases, HSS/LMS is suitable for software or firmware signing . ☕ HMS/LMS key and signature generation should be performed on hardware.
HSS/LMS Signature Verification Implementation ㉑ HSS/LMS is the multi-tree variant of the Leighton-Micali (LMS) system New KeyFactory and Signature verification implementation of HSS/LMS Only Signature verification is supported * * signature generation should be performed in hardware only
Read a HSS/LMS Public Key from its Serialized Format // Verification provider may be different, // so convert encoded public key into a type it supports var ALG = "HSS/LMS"; var instance = KeyFactory.getInstance(ALG); var keySpec = new X509EncodedKeySpec(encodedPublicKey); var generatedPublicKey = instance.generatePublic(keySpec);
Verify the Validity of a Signature that Uses HSS/LMS Algorithm // Verification provider may be different, // so convert encoded public key into a type it supports var ALG = "HSS/LMS"; var msg = "hello, world".getBytes(StandardCharsets.UTF_8); var instance = KeyFactory.getInstance(ALG); var keySpec = new X509EncodedKeySpec(encodedPublicKey); var generatedPublicKey = instance.generatePublic(keySpec); var signature = Signature.getInstance(ALG); signature.initVerify(generatedPublicKey); signature.update(msg); System.out.println(signature.verify(sig));
Restricted Weak Algorithms
SHA-1 JARs are Disabled by Default ⑱ $ jarsigner -verify -verbose old.jar 57 Wed Jul 12 14:25:08 EDT 2023 META-INF/MANIFEST.MF 249 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.SF 2005 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.RSA m ? 1 Wed Jul 12 14:24:16 EDT 2023 A s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore ? = unsigned entry - Signed by "CN=signer" Digest algorithm: SHA-1 (disabled) Signature algorithm: SHA256withRSA, 2048-bit key WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 Change introduced in JDK 18, backported to CPU 22_10
Disabled Weak TLS Algorithms ☕ 3DES cipher suites have been removed from the default enabled TLS cipher suites. ⑲ ☕ TLS_ECDH cipher suites are disabled because they do not preserve forward-secrecy. ⑳ ☕ The DTLS 1.0 protocol has various weaknesses and is no longer recommended. ⑳
Restriction Rules for Weak Algorithms ☕ In krb5.conf for Kerberos since that's the standard way among Kerberos vendors. ☕ As security properties in the $JDK_HOME/conf/security/java.security file for: ☕ JAR verification ☕ CertPath and ☕ TLS
Removed Weak Kerberos Encryption Types #krb5.conf [libdefaults] allow_weak_crypto = false permitted_enctypes = es256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 … ☕ DES,3DES and RC4 have been removed from the default list of Kerberos encryption types. ⑱ ⛔ If allow_weak_crypto = true, any of the weak encryption types could then be used! ☕ You can selectively enable weak algorithms in Kerberos, by specifically adding the weak algorithm(s) name to permitted_enctypes in krb5.conf.
Image by EdenMoon from Pixabay Re-enabling Any Weak Encryption Type is NOT Recommended and You Do That at Your Own Risk!
JDK Security Configuration Aftermath jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter 2019-01-01 jdk.security.legacyAlgorithms=… jdk.jar.disabledAlgorithms=...
The Security Manager Influence ☕ Originally designed as a sandbox for running potentially untrusted applets. ☕ Later enhanced to support a fine-grained permission model. ☕ Was not widely used and JDK 17 deprecated for removal the Security Manager (JEP 411). ☕ Several APIs related to the Security Manager were deprecated for removal. ☕ Since JDK 18 the java.security.manager system property has disallow default value.
Security API Enhancements
Replacement of JAAS APIs ⑱ ☕ Some JAAS APIs depend on Security Manager related API. ☕ JEP 411 outlined plans to provide replacement JAAS APIs. 🆕 Subject::callAs() is a replacement for JAAS Subject::doAs() API. 🆕 Subject::current() is a replacement for JAAS Subject::getSubject()API.
Replacement of JAAS APIs (example) Subject s1 = new Subject(); // before Subject.doAs(s1, (PrivilegedExceptionAction<Void>)() -> { AccessControlContext acc = AccessController.getContext(); Subject s2 = Subject.getSubject(acc); return null; }); // after Subject.callAs(s1, () -> { Subject s2 = Subject.current(); return null; });
Improved KeyStore Attributes Access ⑱ // before KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); KeyStore.Entry entry = ks.getEntry(alias, new KeyStore.PasswordProtection(keyPassword)); Set<KeyStore.Entry.Attribute> attributes = entry.getAttributes(); // after KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); Set<KeyStore.Entry.Attribute> attributes = ks.getAttributes(alias);
APIs to Customize TLS and DTLS Signature Schemes ⑲ SSLParameters sslParams = new SSLParameters(); sslParams.setEndpointIdentificationAlgorithm("HTTPS"); String[] sigSchemes = {"rsa_pkcs1_sha512", "rsa_pkcs1_sha384"}; sslParams.setSignatureSchemes(sigSchemes); New javax.net.ssl.SSLParameters::setSignatureSchemes
APIs to Customize TLS and DTLS Named Groups ⑳ SSLParameters params = new SSLParameters(); params.setNamedGroups(new String[] { "x25519", "secp256r1" }); New javax.net.ssl.SSLParameters::setNamedGroups
Image by TheDigitalArtist from Pixabay A Potential Threat of Quantum Computers?
Key Encapsulation Mechanism (KEM) ☕ Also a scheme with public and private keys. ☕ The sender has receiver’s public key. ☕ KEM uses properties of the public key to derive a related symmetric key. ☕ The two parties can securely negotiate a shared secret. ☕ The shared secret can then be used in secure communication with a symmetric cipher.
Encapsulation Decapsulation key encapsulation message Public key Private key Sender Encrypt Decrypt Receiver plaintext plaintext cyperthext Receiver Sender
Key Encapsulation Mechanism API ㉑ ☕ Key pair generation function This function is already covered by the KeyPairGenerator API. ☕ Key encapsulation Encapsulate(public_key) -> key_encapsulation_message, shared_secret ☕ Key decapsulation Decapsulate(private_key, key_encapsulation_message) -> shared_secret
Support for the EdDSA Signature Algorithm in XML Signatures ㉑ ☕ XML Signatures can now be signed or verified with the EdDSA algorithm. 🆕 Standard SignatureMethod URIs 🆕 SignatureMethod.ED25519 🆕 SignatureMethod.ED448 Also backported to JDK 8u,11u, 17u
Toggle XML Signature Secure Validation Mode㉑ ☕ Secure processing mode is enabled by default. ☕ Stricter constraints for validating XML signatures are defined by a new security property. 🆕 jdk.xml.dsig.secureValidationPolicy security property ☕ If org.jcp.xml.dsig.secureValidation=true, validation of XML signatures is subject to stricter constraints as defined by jdk.xml.dsig.secureValidationPolicy. Also backported to JDK 8u,11u, 17u
Fine Tune Usage of XPath here()Function ㉑ <!-- select node-sets for use in XPath transforms..--> <XPath xmlns:dsig="&dsig;"> count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature)</XPat h> ☕ here() is not a standard XPath function 🆕 jdk.xml.dsig.hereFunctionSupported ☕ The security property has default value true. Also backported to JDK 8u,11u, 17u
OS Specific Integrations
Listing Certificates on Windows try { KeyStore ks = KeyStore.getInstance("Windows-MY"); ks.load(null, null) ; Enumeration<String> en = ks.aliases() ; while (en.hasMoreElements()) { String aliasKey = en.nextElement().toString() ; X509Certificate cert = (X509Certificate) ks.getCertificate(aliasKey); System.out.println(" Certificate subjectDN : " + cert.getSubjectDN()); System.out.println(" Certificate issuerDN : " + cert.getIssuerDN()); } } catch (Exception e) { throw new RuntimeException("Exception while reading certificates", e); }
New Windows KeyStore Types ⑲ try { KeyStore ks = KeyStore.getInstance("Windows-MY-CURRENTUSER"); ks.load(null, null) ; Enumeration<String> en = ks.aliases() ; while (en.hasMoreElements()) { String aliasKey = en.nextElement().toString() ; X509Certificate cert = (X509Certificate) ks.getCertificate(aliasKey); System.out.println(" Certificate subjectDN : " + cert.getSubjectDN()); System.out.println(" Certificate issuerDN : " + cert.getIssuerDN()); } } catch (Exception e) { throw new RuntimeException("Exception while reading certificates", e); }
MacOS KeychainStore Can Show Only Trusted Certificates ㉑ KeyStore keyStore = KeyStore.getInstance("KeychainStore", "Apple"); keyStore.load(null, null); keyStore.aliases().asIterator().forEachRemaining(System.out::println); System.out.println("size:" + keyStore.size()); // before JDK 21 prints user domain certificates // JDK 21+, prints proper trust certificates in user and/or admin domain Change backported to JDK 11, 17
Updates to the JDK cacerts File ☕ No longer uses obsolete proprietary JKS format ☕ Uses password-less PKCS12 format ☕ Public certificates no longer encrypted ☕ No longer need to specify/change a default password (“changeit”)
Tools Updates
Keytool Improvements (1) ☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified $ keytool -genkeypair -keyalg RSA -keystore keystore ... Generating 3.072 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
Keytool Improvements (2) ☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified. ☕ -genseckey and -importpass options warn when using weak password-based encryption algorithms. ㉑ $ keytool -genseckey -alias secret -keypass changeit -keyalg RC4 -keysize 128 -keystore example.p12 -storepass changeit -storetype PKCS12 -v Generated 128-bit ARCFOUR secret key [Storing example.p12] Warning: The generated secret key uses the ARCFOUR algorithm which is considered a security risk.
Jarsigner Improvements ☕ Strengthens the default digest and signature algorithms when signing. ☕ SHA-1 JARs are disabled by default (except those timestamped prior to 2019-01-01). ☕ Specify the class path of an alternate keystore implementation via –providerPath. ⑲ $ jarsigner -keystore keystore -storetype CUSTOMKS -providerPath /path/to/test.myks -providerClass my.custom.AnotherProvider signed.jar mykey
Recording Initial Security Properties With JDK Flight Recorder 🆕 jdk.InitialSecurityProperty cryptographic event ☕ Enabled by default in default.jfc and profile.jfc. ☕ Captures info on initial security properties when loaded via java.security.Security class.
Disabling Initial Security Properties Event $ jfr configure jdk.InitialSecurityProperty#enabled=false # or on launch $ java -XX:StartFlightRecording:settings=none, +jdk.InitialSecurityProperty#enabled=false
Recording Details About Security Provider Instance Requests 🆕 jdk.SecurityProviderService cryptographic event ☕ Disabled by default in default.jfc and profile.jfc. ☕ Records info on java.security.Provider.getService(…) calls.
Enabling Security Provider Instance Requests Event $ jfr configure jdk.SecurityProviderService#enabled=true # or on launch $ java -XX:StartFlightRecording:settings=none, +jdk.SecurityProviderService#enabled=true
Image by geralt from Pixabay
Java Crypto Roadmap (https://java.com/cryptoroadmap) ☕ Informs the public about upcoming security changes to update releases. ☕ Each change improves security in some way: ☕ Restrict or disable a weak algorithm, ☕ A default can be changed to a stronger setting, ☕ Support for a stronger algorithm can be added, ☕ Or improve tools to help you diagnose security issues. ☕ Yet, a change may have some compatibility risk: ☕ Advance notice (usually 3-6 months), except in case of a severe vulnerability. ☕ Testing instructions, if applicable.
Stay Tuned for More Inside.java Dev.java youtube.com/java
Useful Links ☕ JEP 411 about deprecation of the Security Manager for removal https://openjdk.org/jeps/411 ☕ Sean Mullan’s blog on JDK security changes: https://seanjmullan.org/blog/ ☕ Java Security Standard Algorithm Names https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html ☕ Java Security Guide https://docs.oracle.com/en/java/javase/21/security/java-security-overview1.html ☕ Java CryptoRoadmap https://www.java.com/en/jre-jdk-cryptoroadmap.html ☕ Java 21 Tool Enhancements: Better Across the Board #RoadTo21 https://www.youtube.com/embed/nFJBVuaIsRg ☕ Java 21 Security Updates #RoadTo21 https://www.youtube.com/embed/kSjdZZsHM04

Recommended

Secrets of Performance Tuning Java on Kubernetes
Secrets of Performance Tuning Java on KubernetesSecrets of Performance Tuning Java on Kubernetes
Secrets of Performance Tuning Java on KubernetesBruno Borges
 
Quarkus k8s
Quarkus k8sQuarkus k8s
Quarkus k8sGeorgios Andrianakis
 
Immutable Infrastructure with Packer Ansible and Terraform
Immutable Infrastructure with Packer Ansible and TerraformImmutable Infrastructure with Packer Ansible and Terraform
Immutable Infrastructure with Packer Ansible and TerraformMichael Peacock
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Akash Agrawal
 
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakoutDocker, Inc.
 
stupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfstupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfDaniloQueirozMota
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep DiveWill Kinard
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 

Recommended

Secrets of Performance Tuning Java on Kubernetes
Secrets of Performance Tuning Java on KubernetesSecrets of Performance Tuning Java on Kubernetes
Secrets of Performance Tuning Java on KubernetesBruno Borges
 
Quarkus k8s
Quarkus k8sQuarkus k8s
Quarkus k8sGeorgios Andrianakis
 
Immutable Infrastructure with Packer Ansible and Terraform
Immutable Infrastructure with Packer Ansible and TerraformImmutable Infrastructure with Packer Ansible and Terraform
Immutable Infrastructure with Packer Ansible and TerraformMichael Peacock
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Akash Agrawal
 
Containerd + buildkit breakout
Containerd + buildkit breakoutContainerd + buildkit breakout
Containerd + buildkit breakoutDocker, Inc.
 
stupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfstupid-simple-kubernetes-final.pdf
stupid-simple-kubernetes-final.pdfDaniloQueirozMota
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep DiveWill Kinard
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Docker & kubernetes
Docker & kubernetesDocker & kubernetes
Docker & kubernetesNexThoughts Technologies
 
What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)Opsta
 
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Brian Brazil
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101Winton Winton
 
CI/CD (DevOps) 101
CI/CD (DevOps) 101CI/CD (DevOps) 101
CI/CD (DevOps) 101Hazzim Anaya
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineVMware Tanzu
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefitsAmit Manwade
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in DockerDocker, Inc.
 
Terraform on Azure
Terraform on AzureTerraform on Azure
Terraform on AzureJulien Corioland
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Micro services Architecture
Micro services ArchitectureMicro services Architecture
Micro services ArchitectureAraf Karsh Hamid
 
Microservice architecture
Microservice architectureMicroservice architecture
Microservice architectureŽilvinas Kuusas
 
Springboot Microservices
Springboot MicroservicesSpringboot Microservices
Springboot MicroservicesNexThoughts Technologies
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Weaveworks
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationMichelle Holley
 

More Related Content

What's hot

What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)Opsta
 
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Brian Brazil
 
CI/CD (DevOps) 101
CI/CD (DevOps) 101CI/CD (DevOps) 101
CI/CD (DevOps) 101Hazzim Anaya
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineVMware Tanzu
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기SeungYong Oh
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefitsAmit Manwade
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in DockerDocker, Inc.
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API GatewayYohann Ciurlik
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Micro services Architecture
Micro services ArchitectureMicro services Architecture
Micro services ArchitectureAraf Karsh Hamid
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Weaveworks
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways Kong Inc.
 

What's hot (20)

Docker & kubernetes
Docker & kubernetesDocker & kubernetes
Docker & kubernetes
 
What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)What you have to know about Certified Kubernetes Administrator (CKA)
What you have to know about Certified Kubernetes Administrator (CKA)
 
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
Monitoring Kubernetes with Prometheus (Kubernetes Ireland, 2016)
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
CI/CD (DevOps) 101
CI/CD (DevOps) 101CI/CD (DevOps) 101
CI/CD (DevOps) 101
 
Introducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring StatemachineIntroducing Saga Pattern in Microservices with Spring Statemachine
Introducing Saga Pattern in Microservices with Spring Statemachine
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기[NDC17] Kubernetes로 개발서버 간단히 찍어내기
[NDC17] Kubernetes로 개발서버 간단히 찍어내기
 
Docker introduction &amp; benefits
Docker introduction &amp; benefitsDocker introduction &amp; benefits
Docker introduction &amp; benefits
 
Kubernetes in Docker
Kubernetes in DockerKubernetes in Docker
Kubernetes in Docker
 
Terraform on Azure
Terraform on AzureTerraform on Azure
Terraform on Azure
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Micro services Architecture
Micro services ArchitectureMicro services Architecture
Micro services Architecture
 
Microservice architecture
Microservice architectureMicroservice architecture
Microservice architecture
 
Springboot Microservices
Springboot MicroservicesSpringboot Microservices
Springboot Microservices
 
Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)Introduction to the Container Network Interface (CNI)
Introduction to the Container Network Interface (CNI)
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Microservices & API Gateways
Microservices & API Gateways Microservices & API Gateways
Microservices & API Gateways
 

Similar to From Java 17 to 21- A Showcase of JDK Security Enhancements

Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationMichelle Holley
 
Protect data at rest with negligible impact on NVMe disk performance metrics ...
Protect data at rest with negligible impact on NVMe disk performance metrics ...Protect data at rest with negligible impact on NVMe disk performance metrics ...
Protect data at rest with negligible impact on NVMe disk performance metrics ...Principled Technologies
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
Deployment guide c07_554713
Deployment guide c07_554713Deployment guide c07_554713
Deployment guide c07_554713John Yu
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladiumNed Hayes
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukIntel
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
Securing Millions of Devices
Securing Millions of DevicesSecuring Millions of Devices
Securing Millions of DevicesKai Hudalla
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...ScyllaDB
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 

Similar to From Java 17 to 21- A Showcase of JDK Security Enhancements (20)

Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
DPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway ApplicationDPDK IPSec Security Gateway Application
DPDK IPSec Security Gateway Application
 
Protect data at rest with negligible impact on NVMe disk performance metrics ...
Protect data at rest with negligible impact on NVMe disk performance metrics ...Protect data at rest with negligible impact on NVMe disk performance metrics ...
Protect data at rest with negligible impact on NVMe disk performance metrics ...
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Jsse
JsseJsse
Jsse
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Deployment guide c07_554713
Deployment guide c07_554713Deployment guide c07_554713
Deployment guide c07_554713
 
lamacchia-palladium
lamacchia-palladiumlamacchia-palladium
lamacchia-palladium
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
DPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii TkachukDPDK IPSec performance benchmark ~ Georgii Tkachuk
DPDK IPSec performance benchmark ~ Georgii Tkachuk
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
 
Securing Millions of Devices
Securing Millions of DevicesSecuring Millions of Devices
Securing Millions of Devices
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
How to Secure Your Scylla Deployment: Authorization, Encryption, LDAP Authent...
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 

More from Ana-Maria Mihalceanu

Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...Ana-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfMonitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfAna-Maria Mihalceanu
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
Java 21 Language Features and Beyond
Java 21 Language Features and BeyondJava 21 Language Features and Beyond
Java 21 Language Features and BeyondAna-Maria Mihalceanu
 
Java 21 and Beyond- A Roadmap of Innovations
Java 21 and Beyond- A Roadmap of InnovationsJava 21 and Beyond- A Roadmap of Innovations
Java 21 and Beyond- A Roadmap of InnovationsAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdfAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox-TIA.pdf
A Glance At The Java Performance Toolbox-TIA.pdf A Glance At The Java Performance Toolbox-TIA.pdf
A Glance At The Java Performance Toolbox-TIA.pdfAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdfAna-Maria Mihalceanu
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdfAna-Maria Mihalceanu
 
How Java 19 Influences the Future of Your High-Scale Applications .pdf
How Java 19 Influences the Future of Your High-Scale Applications .pdfHow Java 19 Influences the Future of Your High-Scale Applications .pdf
How Java 19 Influences the Future of Your High-Scale Applications .pdfAna-Maria Mihalceanu
 
The Automation Challenge Kubernetes Operators vs Helm Charts.pdf
The Automation Challenge Kubernetes Operators vs Helm Charts.pdfThe Automation Challenge Kubernetes Operators vs Helm Charts.pdf
The Automation Challenge Kubernetes Operators vs Helm Charts.pdfAna-Maria Mihalceanu
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upAna-Maria Mihalceanu
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upAna-Maria Mihalceanu
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upAna-Maria Mihalceanu
 
The automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsThe automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsAna-Maria Mihalceanu
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upAna-Maria Mihalceanu
 
DevoxxUK 2021 Techniques for maintainable Quarkus applications
DevoxxUK 2021 Techniques for maintainable Quarkus applicationsDevoxxUK 2021 Techniques for maintainable Quarkus applications
DevoxxUK 2021 Techniques for maintainable Quarkus applicationsAna-Maria Mihalceanu
 

More from Ana-Maria Mihalceanu (20)

Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...Surveillance de la sécurité des applications Java avec les outils du JDK e...
Surveillance de la sécurité des applications Java avec les outils du JDK e...
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdfMonitoring Java Application Security with JDK Tools and JFR Events.pdf
Monitoring Java Application Security with JDK Tools and JFR Events.pdf
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
Java 21 Language Features and Beyond
Java 21 Language Features and BeyondJava 21 Language Features and Beyond
Java 21 Language Features and Beyond
 
Java 21 and Beyond- A Roadmap of Innovations
Java 21 and Beyond- A Roadmap of InnovationsJava 21 and Beyond- A Roadmap of Innovations
Java 21 and Beyond- A Roadmap of Innovations
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox A Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf
 
A Glance At The Java Performance Toolbox-TIA.pdf
A Glance At The Java Performance Toolbox-TIA.pdf A Glance At The Java Performance Toolbox-TIA.pdf
A Glance At The Java Performance Toolbox-TIA.pdf
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf
 
A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf A Glance At The Java Performance Toolbox.pdf
A Glance At The Java Performance Toolbox.pdf
 
How Java 19 Influences the Future of Your High-Scale Applications .pdf
How Java 19 Influences the Future of Your High-Scale Applications .pdfHow Java 19 Influences the Future of Your High-Scale Applications .pdf
How Java 19 Influences the Future of Your High-Scale Applications .pdf
 
The Automation Challenge Kubernetes Operators vs Helm Charts.pdf
The Automation Challenge Kubernetes Operators vs Helm Charts.pdfThe Automation Challenge Kubernetes Operators vs Helm Charts.pdf
The Automation Challenge Kubernetes Operators vs Helm Charts.pdf
 
Exploring Quarkus on JDK 17
Exploring Quarkus on JDK 17Exploring Quarkus on JDK 17
Exploring Quarkus on JDK 17
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground up
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground up
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground up
 
The automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm chartsThe automation challenge Kubernetes operators vs Helm charts
The automation challenge Kubernetes operators vs Helm charts
 
Cloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground upCloud native resiliency patterns from the ground up
Cloud native resiliency patterns from the ground up
 
DevoxxUK 2021 Techniques for maintainable Quarkus applications
DevoxxUK 2021 Techniques for maintainable Quarkus applicationsDevoxxUK 2021 Techniques for maintainable Quarkus applications
DevoxxUK 2021 Techniques for maintainable Quarkus applications
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 

From Java 17 to 21- A Showcase of JDK Security Enhancements

  • 1. From Java 17 to 21 A Showcase of JDK Security Enhancements
  • 2. Java Champion Alumni, Certified Architect Senior Developer Advocate at Oracle Passionate about solving complex scenarios involving Java and Kubernetes. ammbra1508 ammbra1508.mastondon.social
  • 4. Image by EdenMoon from Pixabay What Significant Changes Occurred in JDK Security after Java 17?
  • 5. JDK Security Impact ☕ Over time, most algorithms weaken and can be exploited more easily. ☕ Lifetime of a JDK release can outlast the viable lifetime of many cryptographic algorithms. ☕ The Java Platform continuously gets enhancements to its tooling, supported cryptographic algorithms and protocols. ☕ All changes are done for you to build and deploy applications that use modern and strong algorithms and protocols.
  • 7. Java Security Components (1) Java Language and Runtime Security Cryptography (JCA/JCE) PKI SASL XML Signature GSSAPI/Kerberos Authn/Authz (JAAS) keytool jarsigner kinit, klist, ktab Tools APIs and Libraries TLS/DTLS (JSSE) Signed JARs
  • 8. Java Security Components (2) Java Language and Runtime Security Cryptography (JCA/JCE) PKI SASL XML Signature GSSAPI/Kerberos Authn/Authz (JAAS) keytool jarsigner kinit, klist, ktab Tools APIs and Libraries TLS/DTLS (JSSE) Signed JARs
  • 9. Image by Myriams-Fotos from Pixabay
  • 11. Larger Key Sizes to Improve Resilience Algorithm Specification Before JDK 19 In JDK 20 & 21 AES Cipher FIPS Pub 197 128 bit 256 bit (if allowed by policy) ECDH NIST SP 800-56A Curve P-256 Curve P-384 ECDSA Signature FIPS Pub 186-4 Curve P-256 Curve P-384 SHA MessageDigest FIPS Pub 180-4 SHA-256 SHA-384 DH KevExchange IETF RFC 3526 2048-bit 3072-bit RSA/RSAPSS Signature NIST SP 800-56B rev 1 2048-bit 3072-bit
  • 12. Image by TheDigitalArtist from Pixabay A Potential Threat of Quantum Computers?
  • 13. First Post-Quantum Cryptography Algorithms in OpenJDK ☕ Leighton-Micali Signature system (LMS) is a stateful hash-based signature (HBS) scheme. ☕ The Hierarchical Signature System (HSS) is the multi-tree variant of LMS. ☕ HSS/LMS is one of the two quantum resistant signature algorithms standardized by NIST. ☕ As use cases, HSS/LMS is suitable for software or firmware signing . ☕ HMS/LMS key and signature generation should be performed on hardware.
  • 14. HSS/LMS Signature Verification Implementation ㉑ HSS/LMS is the multi-tree variant of the Leighton-Micali (LMS) system New KeyFactory and Signature verification implementation of HSS/LMS Only Signature verification is supported * * signature generation should be performed in hardware only
  • 15. Read a HSS/LMS Public Key from its Serialized Format // Verification provider may be different, // so convert encoded public key into a type it supports var ALG = "HSS/LMS"; var instance = KeyFactory.getInstance(ALG); var keySpec = new X509EncodedKeySpec(encodedPublicKey); var generatedPublicKey = instance.generatePublic(keySpec);
  • 16. Verify the Validity of a Signature that Uses HSS/LMS Algorithm // Verification provider may be different, // so convert encoded public key into a type it supports var ALG = "HSS/LMS"; var msg = "hello, world".getBytes(StandardCharsets.UTF_8); var instance = KeyFactory.getInstance(ALG); var keySpec = new X509EncodedKeySpec(encodedPublicKey); var generatedPublicKey = instance.generatePublic(keySpec); var signature = Signature.getInstance(ALG); signature.initVerify(generatedPublicKey); signature.update(msg); System.out.println(signature.verify(sig));
  • 18. SHA-1 JARs are Disabled by Default ⑱ $ jarsigner -verify -verbose old.jar 57 Wed Jul 12 14:25:08 EDT 2023 META-INF/MANIFEST.MF 249 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.SF 2005 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.RSA m ? 1 Wed Jul 12 14:24:16 EDT 2023 A s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore ? = unsigned entry - Signed by "CN=signer" Digest algorithm: SHA-1 (disabled) Signature algorithm: SHA256withRSA, 2048-bit key WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01 Change introduced in JDK 18, backported to CPU 22_10
  • 19. Disabled Weak TLS Algorithms ☕ 3DES cipher suites have been removed from the default enabled TLS cipher suites. ⑲ ☕ TLS_ECDH cipher suites are disabled because they do not preserve forward-secrecy. ⑳ ☕ The DTLS 1.0 protocol has various weaknesses and is no longer recommended. ⑳
  • 20. Restriction Rules for Weak Algorithms ☕ In krb5.conf for Kerberos since that's the standard way among Kerberos vendors. ☕ As security properties in the $JDK_HOME/conf/security/java.security file for: ☕ JAR verification ☕ CertPath and ☕ TLS
  • 21. Removed Weak Kerberos Encryption Types #krb5.conf [libdefaults] allow_weak_crypto = false permitted_enctypes = es256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 … ☕ DES,3DES and RC4 have been removed from the default list of Kerberos encryption types. ⑱ ⛔ If allow_weak_crypto = true, any of the weak encryption types could then be used! ☕ You can selectively enable weak algorithms in Kerberos, by specifically adding the weak algorithm(s) name to permitted_enctypes in krb5.conf.
  • 22. Image by EdenMoon from Pixabay Re-enabling Any Weak Encryption Type is NOT Recommended and You Do That at Your Own Risk!
  • 23. JDK Security Configuration Aftermath jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter 2019-01-01 jdk.security.legacyAlgorithms=… jdk.jar.disabledAlgorithms=...
  • 24. The Security Manager Influence ☕ Originally designed as a sandbox for running potentially untrusted applets. ☕ Later enhanced to support a fine-grained permission model. ☕ Was not widely used and JDK 17 deprecated for removal the Security Manager (JEP 411). ☕ Several APIs related to the Security Manager were deprecated for removal. ☕ Since JDK 18 the java.security.manager system property has disallow default value.
  • 26. Replacement of JAAS APIs ⑱ ☕ Some JAAS APIs depend on Security Manager related API. ☕ JEP 411 outlined plans to provide replacement JAAS APIs. 🆕 Subject::callAs() is a replacement for JAAS Subject::doAs() API. 🆕 Subject::current() is a replacement for JAAS Subject::getSubject()API.
  • 27. Replacement of JAAS APIs (example) Subject s1 = new Subject(); // before Subject.doAs(s1, (PrivilegedExceptionAction<Void>)() -> { AccessControlContext acc = AccessController.getContext(); Subject s2 = Subject.getSubject(acc); return null; }); // after Subject.callAs(s1, () -> { Subject s2 = Subject.current(); return null; });
  • 28. Improved KeyStore Attributes Access ⑱ // before KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); KeyStore.Entry entry = ks.getEntry(alias, new KeyStore.PasswordProtection(keyPassword)); Set<KeyStore.Entry.Attribute> attributes = entry.getAttributes(); // after KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); Set<KeyStore.Entry.Attribute> attributes = ks.getAttributes(alias);
  • 29. APIs to Customize TLS and DTLS Signature Schemes ⑲ SSLParameters sslParams = new SSLParameters(); sslParams.setEndpointIdentificationAlgorithm("HTTPS"); String[] sigSchemes = {"rsa_pkcs1_sha512", "rsa_pkcs1_sha384"}; sslParams.setSignatureSchemes(sigSchemes); New javax.net.ssl.SSLParameters::setSignatureSchemes
  • 30. APIs to Customize TLS and DTLS Named Groups ⑳ SSLParameters params = new SSLParameters(); params.setNamedGroups(new String[] { "x25519", "secp256r1" }); New javax.net.ssl.SSLParameters::setNamedGroups
  • 31. Image by TheDigitalArtist from Pixabay A Potential Threat of Quantum Computers?
  • 32. Key Encapsulation Mechanism (KEM) ☕ Also a scheme with public and private keys. ☕ The sender has receiver’s public key. ☕ KEM uses properties of the public key to derive a related symmetric key. ☕ The two parties can securely negotiate a shared secret. ☕ The shared secret can then be used in secure communication with a symmetric cipher.
  • 33. Encapsulation Decapsulation key encapsulation message Public key Private key Sender Encrypt Decrypt Receiver plaintext plaintext cyperthext Receiver Sender
  • 34. Key Encapsulation Mechanism API ㉑ ☕ Key pair generation function This function is already covered by the KeyPairGenerator API. ☕ Key encapsulation Encapsulate(public_key) -> key_encapsulation_message, shared_secret ☕ Key decapsulation Decapsulate(private_key, key_encapsulation_message) -> shared_secret
  • 35. Support for the EdDSA Signature Algorithm in XML Signatures ㉑ ☕ XML Signatures can now be signed or verified with the EdDSA algorithm. 🆕 Standard SignatureMethod URIs 🆕 SignatureMethod.ED25519 🆕 SignatureMethod.ED448 Also backported to JDK 8u,11u, 17u
  • 36. Toggle XML Signature Secure Validation Mode㉑ ☕ Secure processing mode is enabled by default. ☕ Stricter constraints for validating XML signatures are defined by a new security property. 🆕 jdk.xml.dsig.secureValidationPolicy security property ☕ If org.jcp.xml.dsig.secureValidation=true, validation of XML signatures is subject to stricter constraints as defined by jdk.xml.dsig.secureValidationPolicy. Also backported to JDK 8u,11u, 17u
  • 37. Fine Tune Usage of XPath here()Function ㉑ <!-- select node-sets for use in XPath transforms..--> <XPath xmlns:dsig="&dsig;"> count(ancestor-or-self::dsig:Signature | here()/ancestor::dsig:Signature[1]) > count(ancestor-or-self::dsig:Signature)</XPat h> ☕ here() is not a standard XPath function 🆕 jdk.xml.dsig.hereFunctionSupported ☕ The security property has default value true. Also backported to JDK 8u,11u, 17u
  • 39. Listing Certificates on Windows try { KeyStore ks = KeyStore.getInstance("Windows-MY"); ks.load(null, null) ; Enumeration<String> en = ks.aliases() ; while (en.hasMoreElements()) { String aliasKey = en.nextElement().toString() ; X509Certificate cert = (X509Certificate) ks.getCertificate(aliasKey); System.out.println(" Certificate subjectDN : " + cert.getSubjectDN()); System.out.println(" Certificate issuerDN : " + cert.getIssuerDN()); } } catch (Exception e) { throw new RuntimeException("Exception while reading certificates", e); }
  • 40. New Windows KeyStore Types ⑲ try { KeyStore ks = KeyStore.getInstance("Windows-MY-CURRENTUSER"); ks.load(null, null) ; Enumeration<String> en = ks.aliases() ; while (en.hasMoreElements()) { String aliasKey = en.nextElement().toString() ; X509Certificate cert = (X509Certificate) ks.getCertificate(aliasKey); System.out.println(" Certificate subjectDN : " + cert.getSubjectDN()); System.out.println(" Certificate issuerDN : " + cert.getIssuerDN()); } } catch (Exception e) { throw new RuntimeException("Exception while reading certificates", e); }
  • 41. MacOS KeychainStore Can Show Only Trusted Certificates ㉑ KeyStore keyStore = KeyStore.getInstance("KeychainStore", "Apple"); keyStore.load(null, null); keyStore.aliases().asIterator().forEachRemaining(System.out::println); System.out.println("size:" + keyStore.size()); // before JDK 21 prints user domain certificates // JDK 21+, prints proper trust certificates in user and/or admin domain Change backported to JDK 11, 17
  • 42. Updates to the JDK cacerts File ☕ No longer uses obsolete proprietary JKS format ☕ Uses password-less PKCS12 format ☕ Public certificates no longer encrypted ☕ No longer need to specify/change a default password (“changeit”)
  • 44. Keytool Improvements (1) ☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified $ keytool -genkeypair -keyalg RSA -keystore keystore ... Generating 3.072 bit RSA key pair and self-signed certificate (SHA384withRSA) with a validity of 90 days
  • 45. Keytool Improvements (2) ☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified. ☕ -genseckey and -importpass options warn when using weak password-based encryption algorithms. ㉑ $ keytool -genseckey -alias secret -keypass changeit -keyalg RC4 -keysize 128 -keystore example.p12 -storepass changeit -storetype PKCS12 -v Generated 128-bit ARCFOUR secret key [Storing example.p12] Warning: The generated secret key uses the ARCFOUR algorithm which is considered a security risk.
  • 46. Jarsigner Improvements ☕ Strengthens the default digest and signature algorithms when signing. ☕ SHA-1 JARs are disabled by default (except those timestamped prior to 2019-01-01). ☕ Specify the class path of an alternate keystore implementation via –providerPath. ⑲ $ jarsigner -keystore keystore -storetype CUSTOMKS -providerPath /path/to/test.myks -providerClass my.custom.AnotherProvider signed.jar mykey
  • 47. Recording Initial Security Properties With JDK Flight Recorder 🆕 jdk.InitialSecurityProperty cryptographic event ☕ Enabled by default in default.jfc and profile.jfc. ☕ Captures info on initial security properties when loaded via java.security.Security class.
  • 48. Disabling Initial Security Properties Event $ jfr configure jdk.InitialSecurityProperty#enabled=false # or on launch $ java -XX:StartFlightRecording:settings=none, +jdk.InitialSecurityProperty#enabled=false
  • 49. Recording Details About Security Provider Instance Requests 🆕 jdk.SecurityProviderService cryptographic event ☕ Disabled by default in default.jfc and profile.jfc. ☕ Records info on java.security.Provider.getService(…) calls.
  • 50. Enabling Security Provider Instance Requests Event $ jfr configure jdk.SecurityProviderService#enabled=true # or on launch $ java -XX:StartFlightRecording:settings=none, +jdk.SecurityProviderService#enabled=true
  • 51. Image by geralt from Pixabay
  • 52. Java Crypto Roadmap (https://java.com/cryptoroadmap) ☕ Informs the public about upcoming security changes to update releases. ☕ Each change improves security in some way: ☕ Restrict or disable a weak algorithm, ☕ A default can be changed to a stronger setting, ☕ Support for a stronger algorithm can be added, ☕ Or improve tools to help you diagnose security issues. ☕ Yet, a change may have some compatibility risk: ☕ Advance notice (usually 3-6 months), except in case of a severe vulnerability. ☕ Testing instructions, if applicable.
  • 53. Stay Tuned for More Inside.java Dev.java youtube.com/java
  • 54. Useful Links ☕ JEP 411 about deprecation of the Security Manager for removal https://openjdk.org/jeps/411 ☕ Sean Mullan’s blog on JDK security changes: https://seanjmullan.org/blog/ ☕ Java Security Standard Algorithm Names https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html ☕ Java Security Guide https://docs.oracle.com/en/java/javase/21/security/java-security-overview1.html ☕ Java CryptoRoadmap https://www.java.com/en/jre-jdk-cryptoroadmap.html ☕ Java 21 Tool Enhancements: Better Across the Board #RoadTo21 https://www.youtube.com/embed/nFJBVuaIsRg ☕ Java 21 Security Updates #RoadTo21 https://www.youtube.com/embed/kSjdZZsHM04