From Java 17 to 21, the JDK made several security enhancements, including: 1) Using larger key sizes by default for cryptographic algorithms like AES, ECDSA, and DH to improve resilience against attacks. 2) Adding support for post-quantum cryptography algorithms like HSS/LMS signature verification. 3) Restricting or disabling weak algorithms like SHA-1, 3DES, and RC4 by default. 4) Improving security APIs and providing replacements for deprecated ones like the Security Manager and parts of JAAS.

1. From Java 17 to 21
A Showcase of JDK Security
Enhancements

2. Java Champion Alumni, Certified Architect
Senior Developer Advocate at Oracle
Passionate about solving complex scenarios
involving Java and Kubernetes.
ammbra1508 ammbra1508.mastondon.social

3. 6-Month Release Cadence

4. Image by EdenMoon from Pixabay
What Significant Changes
Occurred in JDK Security after
Java 17?

5. JDK Security Impact
☕ Over time, most algorithms weaken and can be exploited more easily.
☕ Lifetime of a JDK release can outlast the viable lifetime of many cryptographic algorithms.
☕ The Java Platform continuously gets enhancements to its tooling, supported cryptographic
algorithms and protocols.
☕ All changes are done for you to build and deploy applications that use modern and strong
algorithms and protocols.

6. Java Security Overview

7. Java Security Components (1)
Java Language and Runtime Security
Cryptography (JCA/JCE) PKI
SASL XML Signature
GSSAPI/Kerberos
Authn/Authz (JAAS)
keytool jarsigner kinit, klist, ktab Tools
APIs and
Libraries
TLS/DTLS (JSSE) Signed JARs

8. Java Security Components (2)
Java Language and Runtime Security
Cryptography (JCA/JCE) PKI
SASL XML Signature
GSSAPI/Kerberos
Authn/Authz (JAAS)
keytool jarsigner kinit, klist, ktab Tools
APIs and
Libraries
TLS/DTLS (JSSE) Signed JARs

9. Image by Myriams-Fotos from Pixabay

10. Modern Cryptographic Algorithms

11. Larger Key Sizes to Improve Resilience
Algorithm Specification Before JDK 19 In JDK 20 & 21
AES Cipher FIPS Pub 197 128 bit
256 bit (if allowed by
policy)
ECDH NIST SP 800-56A Curve P-256 Curve P-384
ECDSA Signature FIPS Pub 186-4 Curve P-256 Curve P-384
SHA MessageDigest FIPS Pub 180-4 SHA-256 SHA-384
DH KevExchange IETF RFC 3526 2048-bit 3072-bit
RSA/RSAPSS
Signature
NIST SP 800-56B
rev 1
2048-bit 3072-bit

12. Image by TheDigitalArtist from Pixabay
A Potential Threat of Quantum
Computers?

13. First Post-Quantum Cryptography
Algorithms in OpenJDK
☕ Leighton-Micali Signature system (LMS) is a stateful hash-based signature (HBS) scheme.
☕ The Hierarchical Signature System (HSS) is the multi-tree variant of LMS.
☕ HSS/LMS is one of the two quantum resistant signature algorithms standardized by NIST.
☕ As use cases, HSS/LMS is suitable for software or firmware signing .
☕ HMS/LMS key and signature generation should be performed on hardware.

14. HSS/LMS Signature Verification
Implementation ㉑
HSS/LMS is the multi-tree
variant of the
Leighton-Micali (LMS)
system
New KeyFactory and
Signature verification
implementation of HSS/LMS
Only Signature verification
is supported *
* signature generation should be performed in hardware only

15. Read a HSS/LMS Public Key from its
Serialized Format
// Verification provider may be different,
// so convert encoded public key into a type it supports
var ALG = "HSS/LMS";
var instance = KeyFactory.getInstance(ALG);
var keySpec = new X509EncodedKeySpec(encodedPublicKey);
var generatedPublicKey = instance.generatePublic(keySpec);

16. Verify the Validity of a Signature that
Uses HSS/LMS Algorithm
// Verification provider may be different,
// so convert encoded public key into a type it supports
var ALG = "HSS/LMS";
var msg = "hello, world".getBytes(StandardCharsets.UTF_8);
var instance = KeyFactory.getInstance(ALG);
var keySpec = new X509EncodedKeySpec(encodedPublicKey);
var generatedPublicKey = instance.generatePublic(keySpec);
var signature = Signature.getInstance(ALG);
signature.initVerify(generatedPublicKey);
signature.update(msg);
System.out.println(signature.verify(sig));

17. Restricted Weak Algorithms

18. SHA-1 JARs are Disabled by Default ⑱
$ jarsigner -verify -verbose old.jar
57 Wed Jul 12 14:25:08 EDT 2023 META-INF/MANIFEST.MF
249 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.SF
2005 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.RSA
m ? 1 Wed Jul 12 14:24:16 EDT 2023 A
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
? = unsigned entry
- Signed by "CN=signer"
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA256withRSA, 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the
security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
Change introduced in JDK 18, backported to CPU 22_10

19. Disabled Weak TLS Algorithms
☕ 3DES cipher suites have been removed from the default enabled TLS cipher suites. ⑲
☕ TLS_ECDH cipher suites are disabled because they do not preserve forward-secrecy. ⑳
☕ The DTLS 1.0 protocol has various weaknesses and is no longer recommended. ⑳

20. Restriction Rules for Weak Algorithms
☕ In krb5.conf for Kerberos since that's the standard way among Kerberos vendors.
☕ As security properties in the $JDK_HOME/conf/security/java.security file for:
☕ JAR verification
☕ CertPath and
☕ TLS

21. Removed Weak Kerberos Encryption
Types
#krb5.conf
[libdefaults]
allow_weak_crypto = false
permitted_enctypes =
es256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
des3-cbc-sha1 …
☕ DES,3DES and RC4 have been removed
from the default list of Kerberos encryption
types. ⑱
⛔ If allow_weak_crypto = true, any of the
weak encryption types could then be used!
☕ You can selectively enable weak algorithms in
Kerberos, by specifically adding the weak
algorithm(s) name to permitted_enctypes in
krb5.conf.

22. Image by EdenMoon from Pixabay
Re-enabling Any Weak Encryption
Type is NOT Recommended and
You Do That at Your Own Risk!

23. JDK Security Configuration Aftermath
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, MD5withRSA, DH
keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH
jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,RSA keySize
< 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter
2019-01-01
jdk.security.legacyAlgorithms=…
jdk.jar.disabledAlgorithms=...

24. The Security Manager Influence
☕ Originally designed as a sandbox for running potentially untrusted applets.
☕ Later enhanced to support a fine-grained permission model.
☕ Was not widely used and JDK 17 deprecated for removal the Security Manager (JEP 411).
☕ Several APIs related to the Security Manager were deprecated for removal.
☕ Since JDK 18 the java.security.manager system property has disallow default value.

25. Security API Enhancements

26. Replacement of JAAS APIs ⑱
☕ Some JAAS APIs depend on Security Manager related API.
☕ JEP 411 outlined plans to provide replacement JAAS APIs.
🆕 Subject::callAs() is a replacement for JAAS Subject::doAs() API.
🆕 Subject::current() is a replacement for JAAS Subject::getSubject()API.

27. Replacement of JAAS APIs (example)
Subject s1 = new Subject();
// before
Subject.doAs(s1,
(PrivilegedExceptionAction<Void>)() -> {
AccessControlContext acc = AccessController.getContext();
Subject s2 = Subject.getSubject(acc);
return null;
});
// after
Subject.callAs(s1, () -> {
Subject s2 = Subject.current();
return null;
});

28. Improved KeyStore Attributes Access ⑱
// before
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
KeyStore.Entry entry = ks.getEntry(alias, new
KeyStore.PasswordProtection(keyPassword));
Set<KeyStore.Entry.Attribute> attributes = entry.getAttributes();
// after
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
Set<KeyStore.Entry.Attribute> attributes = ks.getAttributes(alias);

29. APIs to Customize TLS and DTLS
Signature Schemes ⑲
SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
String[] sigSchemes = {"rsa_pkcs1_sha512", "rsa_pkcs1_sha384"};
sslParams.setSignatureSchemes(sigSchemes);
New javax.net.ssl.SSLParameters::setSignatureSchemes

30. APIs to Customize TLS and DTLS Named
Groups ⑳
SSLParameters params = new SSLParameters();
params.setNamedGroups(new String[] { "x25519", "secp256r1" });
New javax.net.ssl.SSLParameters::setNamedGroups

31. Image by TheDigitalArtist from Pixabay
A Potential Threat of Quantum
Computers?

32. Key Encapsulation Mechanism (KEM)
☕ Also a scheme with public and private keys.
☕ The sender has receiver’s public key.
☕ KEM uses properties of the public key to derive a related symmetric key.
☕ The two parties can securely negotiate a shared secret.
☕ The shared secret can then be used in secure communication with a symmetric cipher.

33. Encapsulation Decapsulation
key encapsulation message
Public key Private key
Sender Encrypt Decrypt Receiver
plaintext plaintext
cyperthext
Receiver
Sender

34. Key Encapsulation Mechanism API ㉑
☕ Key pair generation function
This function is already covered by the KeyPairGenerator API.
☕ Key encapsulation
Encapsulate(public_key) -> key_encapsulation_message, shared_secret
☕ Key decapsulation
Decapsulate(private_key, key_encapsulation_message) -> shared_secret

35. Support for the EdDSA Signature
Algorithm in XML Signatures ㉑
☕ XML Signatures can now be signed or verified with the EdDSA algorithm.
🆕 Standard SignatureMethod URIs
🆕 SignatureMethod.ED25519
🆕 SignatureMethod.ED448
Also backported to JDK 8u,11u, 17u

36. Toggle XML Signature Secure Validation Mode㉑
☕ Secure processing mode is enabled by default.
☕ Stricter constraints for validating XML signatures are defined by a new security property.
🆕 jdk.xml.dsig.secureValidationPolicy security property
☕ If org.jcp.xml.dsig.secureValidation=true, validation of XML signatures is subject to stricter
constraints as defined by jdk.xml.dsig.secureValidationPolicy.
Also backported to JDK 8u,11u, 17u

37. Fine Tune Usage of XPath here()Function ㉑
<!-- select node-sets for use in XPath
transforms..-->
<XPath xmlns:dsig="&dsig;">
count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
count(ancestor-or-self::dsig:Signature)</XPat
h>
☕ here() is not a standard XPath function
🆕 jdk.xml.dsig.hereFunctionSupported
☕ The security property has default value true.
Also backported to JDK 8u,11u, 17u

38. OS Specific Integrations

39. Listing Certificates on Windows
try {
KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, null) ;
Enumeration<String> en = ks.aliases() ;
while (en.hasMoreElements()) {
String aliasKey = en.nextElement().toString() ;
X509Certificate cert = (X509Certificate) ks.getCertificate(aliasKey);
System.out.println(" Certificate subjectDN : " + cert.getSubjectDN());
System.out.println(" Certificate issuerDN : " + cert.getIssuerDN());
}
} catch (Exception e) {
throw new RuntimeException("Exception while reading certificates", e);
}

40. New Windows KeyStore Types ⑲
try {
KeyStore ks = KeyStore.getInstance("Windows-MY-CURRENTUSER");
ks.load(null, null) ;
Enumeration<String> en = ks.aliases() ;
while (en.hasMoreElements()) {
String aliasKey = en.nextElement().toString() ;
X509Certificate cert = (X509Certificate) ks.getCertificate(aliasKey);
System.out.println(" Certificate subjectDN : " + cert.getSubjectDN());
System.out.println(" Certificate issuerDN : " + cert.getIssuerDN());
}
} catch (Exception e) {
throw new RuntimeException("Exception while reading certificates", e);
}

41. MacOS KeychainStore Can Show Only
Trusted Certificates ㉑
KeyStore keyStore = KeyStore.getInstance("KeychainStore", "Apple");
keyStore.load(null, null);
keyStore.aliases().asIterator().forEachRemaining(System.out::println);
System.out.println("size:" + keyStore.size());
// before JDK 21 prints user domain certificates
// JDK 21+, prints proper trust certificates in user and/or admin domain
Change backported to JDK 11, 17

42. Updates to the JDK cacerts File
☕ No longer uses obsolete proprietary JKS format
☕ Uses password-less PKCS12 format
☕ Public certificates no longer encrypted
☕ No longer need to specify/change a default password (“changeit”)

43. Tools Updates

44. Keytool Improvements (1)
☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified
$ keytool -genkeypair -keyalg RSA -keystore keystore
...
Generating 3.072 bit RSA key pair and self-signed certificate
(SHA384withRSA) with a validity of 90 days

45. Keytool Improvements (2)
☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified.
☕ -genseckey and -importpass options warn when using weak password-based encryption
algorithms. ㉑
$ keytool -genseckey -alias secret -keypass changeit -keyalg RC4
-keysize 128 -keystore example.p12 -storepass changeit
-storetype PKCS12 -v
Generated 128-bit ARCFOUR secret key [Storing example.p12]
Warning: The generated secret key uses the ARCFOUR algorithm which is
considered a security risk.

46. Jarsigner Improvements
☕ Strengthens the default digest and signature algorithms when signing.
☕ SHA-1 JARs are disabled by default (except those timestamped prior to 2019-01-01).
☕ Specify the class path of an alternate keystore implementation via –providerPath. ⑲
$ jarsigner -keystore keystore -storetype CUSTOMKS
-providerPath /path/to/test.myks
-providerClass my.custom.AnotherProvider
signed.jar mykey

47. Recording Initial Security Properties With
JDK Flight Recorder
🆕 jdk.InitialSecurityProperty cryptographic event
☕ Enabled by default in default.jfc and profile.jfc.
☕ Captures info on initial security properties when loaded via java.security.Security class.

48. Disabling Initial Security Properties Event
$ jfr configure jdk.InitialSecurityProperty#enabled=false
# or on launch
$ java -XX:StartFlightRecording:settings=none,
+jdk.InitialSecurityProperty#enabled=false

49. Recording Details About Security Provider
Instance Requests
🆕 jdk.SecurityProviderService cryptographic event
☕ Disabled by default in default.jfc and profile.jfc.
☕ Records info on java.security.Provider.getService(…) calls.

50. Enabling Security Provider Instance
Requests Event
$ jfr configure jdk.SecurityProviderService#enabled=true
# or on launch
$ java -XX:StartFlightRecording:settings=none,
+jdk.SecurityProviderService#enabled=true

51. Image by geralt from Pixabay

52. Java Crypto Roadmap
(https://java.com/cryptoroadmap)
☕ Informs the public about upcoming security changes to update releases.
☕ Each change improves security in some way:
☕ Restrict or disable a weak algorithm,
☕ A default can be changed to a stronger setting,
☕ Support for a stronger algorithm can be added,
☕ Or improve tools to help you diagnose security issues.
☕ Yet, a change may have some compatibility risk:
☕ Advance notice (usually 3-6 months), except in case of a severe vulnerability.
☕ Testing instructions, if applicable.

53. Stay Tuned for More
Inside.java
Dev.java youtube.com/java

54. Useful Links
☕ JEP 411 about deprecation of the Security Manager for removal https://openjdk.org/jeps/411
☕ Sean Mullan’s blog on JDK security changes: https://seanjmullan.org/blog/
☕ Java Security Standard Algorithm Names https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html
☕ Java Security Guide https://docs.oracle.com/en/java/javase/21/security/java-security-overview1.html
☕ Java CryptoRoadmap https://www.java.com/en/jre-jdk-cryptoroadmap.html
☕ Java 21 Tool Enhancements: Better Across the Board #RoadTo21 https://www.youtube.com/embed/nFJBVuaIsRg
☕ Java 21 Security Updates #RoadTo21 https://www.youtube.com/embed/kSjdZZsHM04