This document discusses security enhancements to Java 9 including TLS and DTLS support. TLS 1.0-1.2 and the upcoming TLS 1.3 are supported via the JSSE API. DTLS 1.0-1.2 is also now supported to provide security for unreliable transports like UDP. The TLS Application-Layer Protocol Negotiation extension allows identifying the application protocol during the TLS handshake. Other enhancements include OCSP stapling, PKCS12 as the default keystore, and SHA-3 hash algorithm support.
1. Java 9 security enhancements
in practice
Martin Toshev
Prague, 19-20 October 2017
2. Who am I
Software consultant (CoffeeCupConsulting)
BG JUG board member (http://jug.bg)
OpenJDK and Oracle RBDMS enthusiast
Twitter: @martin_fmi
Martin Toshev Prague, 19-20 October 2017
3. Agenda
TLS support in JDK
DTLS support in JDK 9
TLS ALPN extension in JDK 9
The rest at a glance …
Martin Toshev Prague, 19-20 October 2017
4. TLS support in JDK
Martin Toshev Prague, 19-20 October 2017
5. TLS and the JDK
•Up to JDK 9 TLS 1.0, 1.1 and 1.2 are supported via the JSSE API
•TLS 1.3 specification currently ongoing …
•typically used to secure most types of application protocols
•used for the implementation of SSL VPNs
Martin Toshev Prague, 19-20 October 2017
6. TLS handshake
client serve
r
1) Client “hello”(TLS version, ciphers)
2) Server “hello”(server cert, TLS version, cipher)
3) Verity server
cert and crypto
params
5) Send secret key
4) Send client cert
7) Client finished
8) Server finished
6) Verity client
cert
9) Exchange encryptedmessages
Martin Toshev Prague, 19-20 October 2017
7. Java Secure Socket Extension
•Implemented as JCA provider (SunJSSE)
•Core classes part of the javax.net and javax.net.ssl packages
•Provides APIs for blocking and non-blocking mode of operation
•javax.net.ssl.HttpsURLConnection used to simply HTTPs communication
Martin Toshev Prague, 19-20 October 2017
8. JSSE blocking mode
•Provided by the javax.net.ssl.SSLSocket class
•Used in the same manner as a regular socket
•Handshake might be triggered by:
o Calling startHandshake() on the socket
o Calling getSession() on the socket
o Reading/writing to the socket
Martin Toshev Prague, 19-20 October 2017
9. JSSE blocking mode (example)
Martin Toshev Prague, 19-20 October 2017
System.setProperty("javax.net.ssl.keyStore", "sample.pfx");
System.setProperty("javax.net.ssl.keyStorePassword", "sample");
SSLServerSocketFactory ssf = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
ServerSocket ss = ssf.createServerSocket(4444);
while (true) {
Socket s = ss.accept();
BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));
PrintStream out = new PrintStream(s.getOutputStream());
String line = null;
while (((line = in.readLine()) != null)) { System.out.println(line); out.println("Hi, client"); }
in.close(); out.close(); s.close();
10. JSSE blocking mode (example)
Martin Toshev Prague, 19-20 October 2017
System.setProperty("javax.net.ssl.trustStore", "sample.pfx");
System.setProperty("javax.net.ssl.trustStorePassword", "sample");
SSLSocketFactory ssf = (SSLSocketFactory) SSLSocketFactory.getDefault();
Socket s = ssf.createSocket("127.0.0.1", 4444);
PrintWriter out = new PrintWriter(s.getOutputStream(), true);
out.println("Hi, server.");
BufferedReader in = new BufferedReader(new InputStreamReader(s.getInputStream()));
String x = in.readLine();
System.out.println(x);
out.close(); in.close(); s.close();
11. JSSE non-blocking mode
•Provided by the javax.net.ssl.SSLEngine
•The wrap() and unwrap() methods used to transfer data
•Handshake might be triggered by
o calling beginHandshake()
o calling wrap()
o calling unwrap()
Martin Toshev Prague, 19-20 October 2017
application byte
buffers
network byte
buffers
TLS handshakewrap unwrap
12. JSSE non-blocking mode
•Much more complex to use than the SSLSocket API
•Can be used along with the java.nio.channels.SocketChannel API
•The javax.net.debug system property might be very useful for debugging
Martin Toshev Prague, 19-20 October 2017
-
Djavax.net.debug=all
-Djavax.net.debug=SSL, handshake
13. DTLS support in JDK 9
Martin Toshev Prague, 19-20 October 2017
14. DTLS
• TLS over an unreliable transport protocol such as UDP
• Reliable and in-order delivery are not guaranteed
• Targets to secure unreliable protocols such as DNS or SIP etc.
• Follows TLS specifications (hence 1.3 in draft)
Martin Toshev Prague, 19-20 October 2017
15. DTLS vs TLS
• Added explicit sequence number field
• Dropped support for some ciphers (such as RC4)
• Added retransmission timer for resending of packets
• MAC verification failure triggers warning instead of failure
• Added HelloVerifyRequest message in order to identify sender
Martin Toshev Prague, 19-20 October 2017
16. DTLS in JDK 9
• Support for DTLS 1.0 and 1.2
• Implementation adapted to the JSSE API
• SSEngine typically used along with DatagramSocket
• Implementation based on the SSLEngine API
• … which makes it hard to use directly
Martin Toshev Prague, 19-20 October 2017
17. DTLS before JDK 9
• Pre-JDK 9 a third party provider such as BCJSSE could be used
• … or external libraries such as OpenSSL via JNI
Martin Toshev Prague, 19-20 October 2017
18. DTLS in JDK 9
•Ordered delivery provided automatically by SSLEngine
•Sequence number can be retrieved via SSLEngineResult.sequenceNumber()
•Redelivery of failed messages must be done by the application
•… in DTLS handshake messages must be delivered properly
Martin Toshev Prague, 19-20 October 2017
19. DTLS in JDK 9
• Good examples are provided by the JDK 9 test suite
Martin Toshev Prague, 19-20 October 2017
SSLContext sslContext = SSLContext.getInstance("DTLS");
sslContext.init(…)
SSLEngine engine = sslContext.createSSLEngine();
engine.setUseClientMode(false);
…
21. Application Layer Protocol Extension
• Used to identify the application protocol during TLS handshake
• Does not require additional roundtrips (ClientHello message used)
• Allows the server to send different certificates for different protocols
• Typical use case is the HTTP 2 protocol
• … as e.g. HTTP 1.1 and HTTP/2 may both reside on the same TLS endpoint
Martin Toshev Prague, 19-20 October 2017
22. ALPN in JDK 9
• Before handshake set the supported protocols on the socket/engine:
Martin Toshev Prague, 19-20 October 2017
SSLParameters sslParams = sslSocket.getSSLParameters();
sslParams.setApplicationProtocols(…)
SSLParameters sslParams = sslEngine.getSSLParameters();
sslParams.setApplicationProtocols(…)
23. ALPN in JDK 9
• Trigger the handshake on the socket/engine – for example:
Martin Toshev Prague, 19-20 October 2017
sslSocket.startHandshake();
sslEngine.beginHandshake();
24. ALPN in JDK 9
• After handshake you can get the negotiated protocol:
Martin Toshev Prague, 19-20 October 2017
String protocol = sslSocket.getApplicationProtocol();
String protocol = sslEngine.getApplicationProtocol();
25. Advanced ALPN
• You can also specify custom protocol resolution
Martin Toshev Prague, 19-20 October 2017
sslSocket.setHandshakeApplicationProtocolSelector((serverSocket, clientProtocols) -> {
SSLSession handshakeSession = serverSocket.getHandshakeSession();
String cipher = handshakeSession.getCipherSuite();
int packetBufferSize = handshakeSession.getPacketBufferSize();
if("RC4".equals(cipher) && packetBufferSize > 1024) {
return "protocol1";
} else {
return "protocol2";
}
});
26. Demo: banking server
Martin Toshev Prague, 19-20 October 2017
FIX protocol integration
Banking server (plain Java)
Alpha protocol integration
Demo application
…
XMPP protocol
SIP protocol
27. The rest at a glance …
Martin Toshev Prague, 19-20 October 2017
28. OCSP Stapling for TCP
• Provides a capability for the server to check certificate revocation
• The server typically caches OCSP responses
• Done in order to reduce the number of responses from the OCSP server
• Must be enabled on both the client and the server
Martin Toshev Prague, 19-20 October 2017
-Djdk.tls.client.enableStatusRequestExtension=true
-Dcom.sun.net.ssl.checkRevocation=true
-
Djdk.tls.server.enableStatusRequestExtension=true
29. PKCS12 Keystores by default
•PKIX (PKCS12) is default type of store if no other is specified
•Replaces JKS as the default keystore
•PKCS12 provides support for stronger cryptographic algorithms
•Provides better interoperability with other systems
Martin Toshev Prague, 19-20 October 2017
30. Others
• DRBG-Based SecureRandom Implementations
• Utilization of CPU Instructions for GHASH and RSA
• SHA-1 Certificates disabled for certificate validation
• Implementation of the SHA-3 hash algorithms
Martin Toshev Prague, 19-20 October 2017
31. Summary
• JDK 9 introduces significant set of security features and enhancements
• The major part of them is related to TLS support
• Hopefully this tendency will continue with future releases …
Martin Toshev Prague, 19-20 October 2017
32. References
Java Platform, Standard Edition What’s New in Oracle JDK 9
https://docs.oracle.com/javase/9/whatsnew/
Java Platform, Standard Edition Security Developer’s Guide
https://docs.oracle.com/javase/9/security/
Martin Toshev Prague, 19-20 October 2017
33. References
JEP 219: Datagram Transport Layer Security
http://openjdk.java.net/jeps/219
JEP 244: TLS Application-Layer Protocol Negotiation Extension
http://openjdk.java.net/jeps/244
JDK 9 SSL test suite
https://github.com/netroby/jdk9-dev/tree/master/jdk/test/javax/net/ssl
Martin Toshev Prague, 19-20 October 2017
34. References
Bouncy Castle (D)TLS API and JSSE Provider
https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-
1.0.0.pdf
Introduction to DTLS
https://www.pixelstech.net/article/1459585203-Introduction-to-DTLS
%28Datagram-Transport-Layer-Security%29
DTLS implementation in JDK 9 (changeset)
http://hg.openjdk.java.net/jdk9/jdk9/jdk/rev/6721ff11d592
Martin Toshev Prague, 19-20 October 2017
Editor's Notes
TLS being the predecessor of SSL is not interoperable with SSL …
TLS being the predecessor of SSL is not interoperable with SSL …
TLS being the predecessor of SSL is not interoperable with SSL …
TLS being the predecessor of SSL is not interoperable with SSL …
TLS being the predecessor of SSL is not interoperable with SSL …
More complex that the SSLSocket API …
TLS being the predecessor of SSL is not interoperable with SSL …
You can also do the same on an SSLEngine instance …
Every box on the diagram is a separate Jigsaw module