Java™ 6 Security Enhancements

The Java Platform has added support for the following Security functionality in version 6:

• JSR 105, the XML Digital Signature API and implementation
  
  For details, see the XML Digital Signature API Specification and the XML Digital Signature API Overview and Tutorial


• JSR 268, Smart Card I/O API
  
  Sun's Java SE 6 implementation bundles the Smart Card I/O API defined by JSR 268 as well as a provider called SunPCSC which uses the platform's native PC/SC Smart Card stack, if available. Note that neither the API nor the SunPCSC provider are part of the Java SE 6 platform specification and may not be present on other compliant Java SE implementations.


• Elliptic Curve Cryptography (ECC) in SunPKCS11
  
  The SunPKCS11 provider now exposes ECC algorithms if the underlying PKCS#11 token supports them. This include ECDSA signing and verification, ECDH key agreement, and generation of EC keypairs. For more information about the supported mechanisms, see the supported algorithms section in the PKCS#11 reference guide.


• Elliptic Curve CipherSuites in SunJSSE
  
  The SunJSSE now supports the ECC ciphersuites defined in RFC 4492, if a suitable crypto provider is available (for example, SunPKCS11 with an appropriate PKCS#11 library). For more information, see the list of supported ciphersuites and their requirements.


• Access Network Security Services (NSS) using SunPKCS11
  
  The SunPKCS11 provider supports new configuration directives which allow it to access the NSS security library. This enables Java applications to read keys stored in the NSS database files, use ECC algorithms, and to use the NSS Softtoken as a FIPS 140 compliant cryptography provider. For more information see the NSS section in the PKCS#11 guide.


• FIPS 140 compliance for SunJSSE
  
  The SunJSSE provider now supports an experimental FIPS 140 compliant mode. When enabled and used in combination with the SunPKCS11 provider and an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140 compliant. For details, see the JSSE Reference Guide.


• Pluggability restrictions have been removed from JSSE
  
  In earlier releases, the JSSE framework did not allow 3rd party JSSE providers that implemented non-standard ciphersuites due to export control issues.


• Socket read timeouts are fully supported by SunJSSE SSLSockets
  
  In previous releases, calling setSoTimeout() would sometimes lead to unpredictable results. This has been corrected.


• Cipher Text Stealing (CTS) mode added to SunJCE block ciphers
  
  CTS is described in Bruce Schneier's book "Applied Cryptography-Second Edition", John Wiley & Sons, 1996 (pg. 195-196), and is used by some Kerberos implementations.


• New PBKDF2WithHmacSHA1 Secretkeyfactory algorithm added to SunJCE
  
  Constructs secret keys using the Password-Based Key Derivation Function function found in PKCS5 v2.0.


• Removed the 2048 RSA keysize limit from local_policy.jar
  
  Implementations were previously restricted from obtaining RSA keys larger than 2048 bits without installing the unlimited crypto policy files.


• New Certification Authority (CA) certificates added
  
  A number of new CA certificates were added to the default system lib/security/cacerts file. See the keytool docs for the complete list of CA certificates.


• Added Two New Options to jarsigner Tool
  
  Options -digestalg and -sigalg have been added to the jarsigner tool to allow users to override the default signature and digest algorithms when signing a jar file


• New Options for keytool Tool
  
  Options -genseckey and -importkeystore have been added to the keytool tool to allow users to generate a SecretKey inside a keystore and copy entries from one keystore to another. Options -genkey, -import and -export have been renamed to -genkeypair, -importcert and -exportcert.


• User-Entered Passwords no longer echoed on the screen
  
  Security tools like keytool/jarsigner, and the JAAS login authentication modules use the new java.io.Console class so that user-entered passwords are no longer echoed on the screen.


• Support for AES Encryption Type in Java GSS/Kerberos
  
  Support for AES encryption type (AES128 and AES256) in Java GSS/Kerberos is available. This improves interoperability of the Java SE Kerberos implementation with other Kerberos implementations, such as Solaris 10 and MIT Kerberos. For details, see Java GSS Security Features.
  
  
• Support for RC4-HMAC Encryption Type in Java GSS/Kerberos
  
  Support for RC4-HMAC encryption type in Java GSS/Kerberos is available. This improves interoperability of the Java SE Kerberos implementation with other Kerberos implementations, such as Windows, Solaris 10 and MIT Kerberos. Windows Active Directory supports RC4-HMAC as the default Kerberos encryption type. For details, see Java GSS Security Features.
  
  
• Support for SPNEGO in Java GSS
  
  Support for SPNEGO mechanism in Java GSS is now available. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is a pseudo security mechanism that enables GSS-API peers to securely negotiate a common security mechanism to be used.
  
  Support for SPNEGO authentication scheme in HTTP is also available. For details, see Java GSS Security Features.
  
  
• Support for new Pre-Authentication Mechanisms
  
  Java GSS/Kerberos now includes support for the new pre-authentication mechanisms as described in the latest Kerberos specification. For details, see Java GSS Security Features.
  
  
• Native Platform GSS Integration
  
  This feature allows Java GSS applications to take advantage of features in the native GSS implementation available on the platform. For details, see Java GSS Security Features.
  
  
• Access to native PKI and cryptographic services on Microsoft Windows
  
  Added the SunMSCAPI JCE provider which uses the Microsoft CryptoAPI (CAPI) to offer a variety of RSA cryptographic functions. It acts as a bridge between Java applications and the services offered by the default RSA cryptographic service provider available via CAPI. It provides access to X.509 certificates and RSA key pairs, it performs RSA encryption and decryption, and it creates and validates RSA signatures. It also supports a cryptographic random number generator.
  
  
• Enhancements to the implementation of PKI Certificate Path Validation
  
  Added support for segmented and indirect CRLs, resulting in improved performance and improved PKIX compliance (RFC 3280).


• JAAS-based authentication using LDAP
  
  Added a JAAS login module which enables users to perform authentication using credentials stored in an LDAP directory service. It provides a drop-in solution for existing JAAS-enabled applications that wish to support authentication using LDAP. See LDAPLoginModule for more information.


• Default SSLContext
  
  Added the static method getDefault() and setDefault() to SSLContext. getDefault() returns the default SSLContext, which is initialized in an implementation specific fashion, for example using system properties. setDefault() allows an application to programmatically set the default context to any initialized SSLContext object.


• SSLParameters
  
  The new SSLParameters class encapsulates the configuration parameters of an SSL endpoint, in particular the ciphersuites, protocol versions, and for servers the client authentication requirements. They can be applied with a single call to SSLSocket.setSSLParameters() or SSLEngine.setSSLParameters().

Copyright © 1995-2006 Sun Microsystems, Inc. All Rights Reserved. Please send comments to: java-security@sun.com. This is not a subscription list.