From Java 17 to 21- A Showcase of JDK Security Enhancements

From Java 17 to 21
A Showcase of JDK Security
Enhancements

Java Champion Alumni, Certified Architect
Senior Developer Advocate at Oracle
Passionate about solving complex scenarios
involving Java and Kubernetes.
ammbra1508 ammbra1508.mastondon.social

Image by EdenMoon from Pixabay
What Significant Changes
Occurred in JDK Security after
Java 17?

JDK Security Impact
☕ Over time, most algorithms weaken and can be exploited more easily.
☕ Lifetime of a JDK release can outlast the viable lifetime of many cryptographic algorithms.
☕ The Java Platform continuously gets enhancements to its tooling, supported cryptographic
algorithms and protocols.
☕ All changes are done for you to build and deploy applications that use modern and strong
algorithms and protocols.

Java Security Components (1)
Java Language and Runtime Security
Cryptography (JCA/JCE) PKI
SASL XML Signature
GSSAPI/Kerberos
Authn/Authz (JAAS)
keytool jarsigner kinit, klist, ktab Tools
APIs and
Libraries
TLS/DTLS (JSSE) Signed JARs

Java Security Components (2)
Java Language and Runtime Security
Cryptography (JCA/JCE) PKI
SASL XML Signature
GSSAPI/Kerberos
Authn/Authz (JAAS)
keytool jarsigner kinit, klist, ktab Tools
APIs and
Libraries
TLS/DTLS (JSSE) Signed JARs

Image by Myriams-Fotos from Pixabay

Modern Cryptographic Algorithms

Larger Key Sizes to Improve Resilience
Algorithm Specification Before JDK 19 In JDK 20 & 21
AES Cipher FIPS Pub 197 128 bit
256 bit (if allowed by
policy)
ECDH NIST SP 800-56A Curve P-256 Curve P-384
ECDSA Signature FIPS Pub 186-4 Curve P-256 Curve P-384
SHA MessageDigest FIPS Pub 180-4 SHA-256 SHA-384
DH KevExchange IETF RFC 3526 2048-bit 3072-bit
RSA/RSAPSS
Signature
NIST SP 800-56B
rev 1
2048-bit 3072-bit

Image by TheDigitalArtist from Pixabay
A Potential Threat of Quantum
Computers?

First Post-Quantum Cryptography
Algorithms in OpenJDK
☕ Leighton-Micali Signature system (LMS) is a stateful hash-based signature (HBS) scheme.
☕ The Hierarchical Signature System (HSS) is the multi-tree variant of LMS.
☕ HSS/LMS is one of the two quantum resistant signature algorithms standardized by NIST.
☕ As use cases, HSS/LMS is suitable for software or firmware signing .
☕ HMS/LMS key and signature generation should be performed on hardware.

HSS/LMS Signature Verification
Implementation ㉑
HSS/LMS is the multi-tree
variant of the
Leighton-Micali (LMS)
system
New KeyFactory and
Signature verification
implementation of HSS/LMS
Only Signature verification
is supported *
* signature generation should be performed in hardware only

Read a HSS/LMS Public Key from its
Serialized Format
// Verification provider may be different,
// so convert encoded public key into a type it supports
var ALG = "HSS/LMS";
var instance = KeyFactory.getInstance(ALG);
var keySpec = new X509EncodedKeySpec(encodedPublicKey);
var generatedPublicKey = instance.generatePublic(keySpec);

Verify the Validity of a Signature that
Uses HSS/LMS Algorithm
// Verification provider may be different,
// so convert encoded public key into a type it supports
var ALG = "HSS/LMS";
var msg = "hello, world".getBytes(StandardCharsets.UTF_8);
var instance = KeyFactory.getInstance(ALG);
var keySpec = new X509EncodedKeySpec(encodedPublicKey);
var generatedPublicKey = instance.generatePublic(keySpec);
var signature = Signature.getInstance(ALG);
signature.initVerify(generatedPublicKey);
signature.update(msg);
System.out.println(signature.verify(sig));

SHA-1 JARs are Disabled by Default ⑱
$ jarsigner -verify -verbose old.jar
57 Wed Jul 12 14:25:08 EDT 2023 META-INF/MANIFEST.MF
249 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.SF
2005 Wed Jul 12 14:25:08 EDT 2023 META-INF/SIGNER.RSA
m ? 1 Wed Jul 12 14:24:16 EDT 2023 A
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
? = unsigned entry
- Signed by "CN=signer"
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA256withRSA, 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the
security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
Change introduced in JDK 18, backported to CPU 22_10

Disabled Weak TLS Algorithms
☕ 3DES cipher suites have been removed from the default enabled TLS cipher suites. ⑲
☕ TLS_ECDH cipher suites are disabled because they do not preserve forward-secrecy. ⑳
☕ The DTLS 1.0 protocol has various weaknesses and is no longer recommended. ⑳

Restriction Rules for Weak Algorithms
☕ In krb5.conf for Kerberos since that's the standard way among Kerberos vendors.
☕ As security properties in the $JDK_HOME/conf/security/java.security file for:
☕ JAR verification
☕ CertPath and
☕ TLS

Removed Weak Kerberos Encryption
Types
#krb5.conf
[libdefaults]
allow_weak_crypto = false
permitted_enctypes =
es256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
des3-cbc-sha1 …
☕ DES,3DES and RC4 have been removed
from the default list of Kerberos encryption
types. ⑱
⛔ If allow_weak_crypto = true, any of the
weak encryption types could then be used!
☕ You can selectively enable weak algorithms in
Kerberos, by specifically adding the weak
algorithm(s) name to permitted_enctypes in
krb5.conf.

Image by EdenMoon from Pixabay
Re-enabling Any Weak Encryption
Type is NOT Recommended and
You Do That at Your Own Risk!

JDK Security Configuration Aftermath
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, MD5withRSA, DH
keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, ECDH
jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer,RSA keySize
< 1024, DSA keySize < 1024, EC keySize < 224, SHA1 usage SignedJAR & denyAfter
2019-01-01
jdk.security.legacyAlgorithms=…
jdk.jar.disabledAlgorithms=...

The Security Manager Influence
☕ Originally designed as a sandbox for running potentially untrusted applets.
☕ Later enhanced to support a fine-grained permission model.
☕ Was not widely used and JDK 17 deprecated for removal the Security Manager (JEP 411).
☕ Several APIs related to the Security Manager were deprecated for removal.
☕ Since JDK 18 the java.security.manager system property has disallow default value.

Replacement of JAAS APIs ⑱
☕ Some JAAS APIs depend on Security Manager related API.
☕ JEP 411 outlined plans to provide replacement JAAS APIs.
🆕 Subject::callAs() is a replacement for JAAS Subject::doAs() API.
🆕 Subject::current() is a replacement for JAAS Subject::getSubject()API.

Replacement of JAAS APIs (example)
Subject s1 = new Subject();
// before
Subject.doAs(s1,
(PrivilegedExceptionAction<Void>)() -> {
AccessControlContext acc = AccessController.getContext();
Subject s2 = Subject.getSubject(acc);
return null;
});
// after
Subject.callAs(s1, () -> {
Subject s2 = Subject.current();
return null;
});

Improved KeyStore Attributes Access ⑱
// before
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
KeyStore.Entry entry = ks.getEntry(alias, new
KeyStore.PasswordProtection(keyPassword));
Set<KeyStore.Entry.Attribute> attributes = entry.getAttributes();
// after
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
Set<KeyStore.Entry.Attribute> attributes = ks.getAttributes(alias);

APIs to Customize TLS and DTLS
Signature Schemes ⑲
SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
String[] sigSchemes = {"rsa_pkcs1_sha512", "rsa_pkcs1_sha384"};
sslParams.setSignatureSchemes(sigSchemes);
New javax.net.ssl.SSLParameters::setSignatureSchemes

APIs to Customize TLS and DTLS Named
Groups ⑳
SSLParameters params = new SSLParameters();
params.setNamedGroups(new String[] { "x25519", "secp256r1" });
New javax.net.ssl.SSLParameters::setNamedGroups

Key Encapsulation Mechanism (KEM)
☕ Also a scheme with public and private keys.
☕ The sender has receiver’s public key.
☕ KEM uses properties of the public key to derive a related symmetric key.
☕ The two parties can securely negotiate a shared secret.
☕ The shared secret can then be used in secure communication with a symmetric cipher.

Encapsulation Decapsulation
key encapsulation message
Public key Private key
Sender Encrypt Decrypt Receiver
plaintext plaintext
cyperthext
Receiver
Sender

Key Encapsulation Mechanism API ㉑
☕ Key pair generation function
This function is already covered by the KeyPairGenerator API.
☕ Key encapsulation
Encapsulate(public_key) -> key_encapsulation_message, shared_secret
☕ Key decapsulation
Decapsulate(private_key, key_encapsulation_message) -> shared_secret

Support for the EdDSA Signature
Algorithm in XML Signatures ㉑
☕ XML Signatures can now be signed or verified with the EdDSA algorithm.
🆕 Standard SignatureMethod URIs
🆕 SignatureMethod.ED25519
🆕 SignatureMethod.ED448
Also backported to JDK 8u,11u, 17u

Toggle XML Signature Secure Validation Mode㉑
☕ Secure processing mode is enabled by default.
☕ Stricter constraints for validating XML signatures are defined by a new security property.
🆕 jdk.xml.dsig.secureValidationPolicy security property
☕ If org.jcp.xml.dsig.secureValidation=true, validation of XML signatures is subject to stricter
constraints as defined by jdk.xml.dsig.secureValidationPolicy.

Fine Tune Usage of XPath here()Function ㉑

<XPath xmlns:dsig="&dsig;">
count(ancestor-or-self::dsig:Signature |
here()/ancestor::dsig:Signature[1]) >
count(ancestor-or-self::dsig:Signature)</XPat
h>
☕ here() is not a standard XPath function
🆕 jdk.xml.dsig.hereFunctionSupported
☕ The security property has default value true.

Listing Certificates on Windows
try {
KeyStore ks = KeyStore.getInstance("Windows-MY");
ks.load(null, null) ;
Enumeration<String> en = ks.aliases() ;
while (en.hasMoreElements()) {
String aliasKey = en.nextElement().toString() ;
X509Certificate cert = (X509Certificate) ks.getCertificate(aliasKey);
System.out.println(" Certificate subjectDN : " + cert.getSubjectDN());
System.out.println(" Certificate issuerDN : " + cert.getIssuerDN());
}
} catch (Exception e) {
throw new RuntimeException("Exception while reading certificates", e);
}

New Windows KeyStore Types ⑲
try {
KeyStore ks = KeyStore.getInstance("Windows-MY-CURRENTUSER");
ks.load(null, null) ;
Enumeration<String> en = ks.aliases() ;
while (en.hasMoreElements()) {
String aliasKey = en.nextElement().toString() ;
X509Certificate cert = (X509Certificate) ks.getCertificate(aliasKey);
System.out.println(" Certificate subjectDN : " + cert.getSubjectDN());
System.out.println(" Certificate issuerDN : " + cert.getIssuerDN());
}
} catch (Exception e) {
throw new RuntimeException("Exception while reading certificates", e);
}

MacOS KeychainStore Can Show Only
Trusted Certificates ㉑
KeyStore keyStore = KeyStore.getInstance("KeychainStore", "Apple");
keyStore.load(null, null);
keyStore.aliases().asIterator().forEachRemaining(System.out::println);
System.out.println("size:" + keyStore.size());
// before JDK 21 prints user domain certificates
// JDK 21+, prints proper trust certificates in user and/or admin domain
Change backported to JDK 11, 17

Updates to the JDK cacerts File
☕ No longer uses obsolete proprietary JKS format
☕ Uses password-less PKCS12 format
☕ Public certificates no longer encrypted
☕ No longer need to specify/change a default password (“changeit”)

Keytool Improvements (1)
☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified
$ keytool -genkeypair -keyalg RSA -keystore keystore
...
Generating 3.072 bit RSA key pair and self-signed certificate
(SHA384withRSA) with a validity of 90 days

Keytool Improvements (2)
☕ Uses larger default key sizes in -genkeypair if -keysize option is not specified.
☕ -genseckey and -importpass options warn when using weak password-based encryption
algorithms. ㉑
$ keytool -genseckey -alias secret -keypass changeit -keyalg RC4
-keysize 128 -keystore example.p12 -storepass changeit
-storetype PKCS12 -v
Generated 128-bit ARCFOUR secret key [Storing example.p12]
Warning: The generated secret key uses the ARCFOUR algorithm which is
considered a security risk.

Jarsigner Improvements
☕ Strengthens the default digest and signature algorithms when signing.
☕ SHA-1 JARs are disabled by default (except those timestamped prior to 2019-01-01).
☕ Specify the class path of an alternate keystore implementation via –providerPath. ⑲
$ jarsigner -keystore keystore -storetype CUSTOMKS
-providerPath /path/to/test.myks
-providerClass my.custom.AnotherProvider
signed.jar mykey

Recording Initial Security Properties With
JDK Flight Recorder
🆕 jdk.InitialSecurityProperty cryptographic event
☕ Enabled by default in default.jfc and profile.jfc.
☕ Captures info on initial security properties when loaded via java.security.Security class.

Disabling Initial Security Properties Event
$ jfr configure jdk.InitialSecurityProperty#enabled=false
# or on launch
$ java -XX:StartFlightRecording:settings=none,
+jdk.InitialSecurityProperty#enabled=false

Recording Details About Security Provider
Instance Requests
🆕 jdk.SecurityProviderService cryptographic event
☕ Disabled by default in default.jfc and profile.jfc.
☕ Records info on java.security.Provider.getService(…) calls.

Enabling Security Provider Instance
Requests Event
$ jfr configure jdk.SecurityProviderService#enabled=true
# or on launch
$ java -XX:StartFlightRecording:settings=none,
+jdk.SecurityProviderService#enabled=true

Java Crypto Roadmap
(https://java.com/cryptoroadmap)
☕ Informs the public about upcoming security changes to update releases.
☕ Each change improves security in some way:
☕ Restrict or disable a weak algorithm,
☕ A default can be changed to a stronger setting,
☕ Support for a stronger algorithm can be added,
☕ Or improve tools to help you diagnose security issues.
☕ Yet, a change may have some compatibility risk:
☕ Advance notice (usually 3-6 months), except in case of a severe vulnerability.
☕ Testing instructions, if applicable.

Stay Tuned for More
Inside.java
Dev.java youtube.com/java

Useful Links
☕ JEP 411 about deprecation of the Security Manager for removal https://openjdk.org/jeps/411
☕ Sean Mullan’s blog on JDK security changes: https://seanjmullan.org/blog/
☕ Java Security Standard Algorithm Names https://docs.oracle.com/en/java/javase/21/docs/specs/security/standard-names.html
☕ Java Security Guide https://docs.oracle.com/en/java/javase/21/security/java-security-overview1.html
☕ Java CryptoRoadmap https://www.java.com/en/jre-jdk-cryptoroadmap.html
☕ Java 21 Tool Enhancements: Better Across the Board #RoadTo21 https://www.youtube.com/embed/nFJBVuaIsRg
☕ Java 21 Security Updates #RoadTo21 https://www.youtube.com/embed/kSjdZZsHM04

From Java 17 to 21- A Showcase of JDK Security Enhancements

More Related Content

What's hot (20)

Similar to From Java 17 to 21- A Showcase of JDK Security Enhancements (20)

More from Ana-Maria Mihalceanu (20)

Recently uploaded (20)

From Java 17 to 21- A Showcase of JDK Security Enhancements