Java™ 6 Security Enhancements
The Java Platform has added support for the following Security functionality in version 6:
- JSR 105, the XML Digital Signature API and implementation
For details, see the XML Digital
Signature API Specification and the XML Digital Signature API
Overview and Tutorial
- JSR 268, Smart Card I/O API
Sun's Java SE 6 implementation bundles the Smart Card I/O
API defined by JSR
268 as well as a provider called
which uses the platform's
native PC/SC Smart Card stack, if available. Note that neither the API
nor the SunPCSC provider are part of the Java SE 6 platform
specification and may not be present on other compliant Java SE
- Elliptic Curve Cryptography (ECC) in SunPKCS11
The SunPKCS11 provider now exposes ECC algorithms if the underlying
PKCS#11 token supports them. This include ECDSA signing and
verification, ECDH key agreement, and generation of EC keypairs. For
more information about the supported mechanisms, see the supported
algorithms section in the PKCS#11 reference
- Elliptic Curve CipherSuites in SunJSSE
The SunJSSE now supports the ECC ciphersuites defined in RFC 4492, if a
suitable crypto provider is available (for example, SunPKCS11 with an
appropriate PKCS#11 library). For more information, see the list of supported
ciphersuites and their requirements.
- Access Network Security Services (NSS) using SunPKCS11
The SunPKCS11 provider supports new configuration directives which allow it to
access the NSS security library. This enables Java applications to read keys
stored in the NSS database files, use ECC algorithms, and to use the NSS
Softtoken as a FIPS 140 compliant cryptography provider.
For more information see the NSS section
in the PKCS#11 guide.
- FIPS 140 compliance for SunJSSE
The SunJSSE provider now supports an experimental FIPS 140 compliant
mode. When enabled and used in combination with the SunPKCS11 provider
and an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS
140 compliant. For details, see the
JSSE Reference Guide.
- Pluggability restrictions have been removed from JSSE
In earlier releases, the JSSE framework did not allow 3rd party JSSE
providers that implemented non-standard ciphersuites due to export
- Socket read timeouts are fully supported by SunJSSE SSLSockets
In previous releases, calling
sometimes lead to unpredictable results. This has been corrected.
- Cipher Text Stealing (CTS) mode added to SunJCE block ciphers
CTS is described in Bruce Schneier's book "Applied Cryptography-Second
Edition", John Wiley & Sons, 1996 (pg. 195-196), and is used by some
PBKDF2WithHmacSHA1 Secretkeyfactory algorithm
added to SunJCE
Constructs secret keys using the Password-Based Key Derivation
Function function found in
- Removed the 2048 RSA keysize limit from local_policy.jar
Implementations were previously restricted from obtaining RSA keys
larger than 2048 bits without installing the unlimited crypto policy
- New Certification Authority (CA) certificates added
A number of new CA certificates were added
to the default system
lib/security/cacerts file. See the
keytool docs for the
complete list of CA certificates.
- Added Two New Options to
-sigalg have been
added to the jarsigner tool to allow users to override the default
signature and digest algorithms when signing a jar file
- New Options for
-importkeystore have been
added to the keytool tool to allow users to generate a SecretKey inside a
keystore and copy entries from one keystore to another. Options
-export have been
- User-Entered Passwords no longer echoed on the screen
Security tools like
jarsigner, and the JAAS
login authentication modules use the new
so that user-entered passwords are no longer echoed on the screen.
- Support for AES Encryption Type in Java GSS/Kerberos
Support for AES encryption type (AES128 and AES256) in Java
GSS/Kerberos is available. This improves interoperability of the Java
SE Kerberos implementation with other Kerberos implementations, such as
Solaris 10 and MIT Kerberos. For details, see Java GSS Security Features.
- Support for RC4-HMAC Encryption Type in Java GSS/Kerberos
Support for RC4-HMAC encryption type in Java GSS/Kerberos is available.
This improves interoperability of the Java SE Kerberos implementation
with other Kerberos implementations, such as Windows, Solaris 10 and
MIT Kerberos. Windows Active Directory supports RC4-HMAC as the
default Kerberos encryption type. For details, see Java GSS Security Features.
- Support for SPNEGO in Java GSS
Support for SPNEGO mechanism in Java GSS is now available. The Simple
and Protected GSS-API Negotiation (SPNEGO) mechanism is a pseudo
security mechanism that enables GSS-API peers to securely negotiate a
common security mechanism to be used.
Support for SPNEGO authentication scheme in HTTP is also available. For details, see Java GSS Security Features.
- Support for new Pre-Authentication Mechanisms
Java GSS/Kerberos now includes support for the new pre-authentication
mechanisms as described in the latest Kerberos
specification. For details, see Java GSS Security Features.
- Native Platform GSS Integration
This feature allows Java GSS applications to take advantage of features
in the native GSS implementation available on the
platform. For details, see Java GSS Security Features.
- Access to native PKI and cryptographic services on Microsoft Windows
JCE provider which uses the Microsoft CryptoAPI
(CAPI) to offer a variety of RSA cryptographic functions. It acts as a
bridge between Java applications and the services offered by the
default RSA cryptographic service provider available via CAPI. It
provides access to X.509 certificates and RSA key pairs, it performs
RSA encryption and decryption, and it creates and validates RSA
signatures. It also supports a cryptographic random number generator.
- Enhancements to the implementation of PKI Certificate Path Validation
Added support for segmented and indirect CRLs, resulting in improved
performance and improved PKIX compliance (RFC 3280).
- JAAS-based authentication using LDAP
Added a JAAS login module which enables users to perform authentication
using credentials stored in an LDAP directory service. It provides a
drop-in solution for existing JAAS-enabled applications that wish to
support authentication using LDAP. See
LDAPLoginModule for more information.
- Default SSLContext
Added the static method
getDefault() returns the default SSLContext, which is initialized
in an implementation specific fashion, for example using system properties.
allows an application to programmatically set the default context
to any initialized SSLContext object.
the configuration parameters of an SSL endpoint, in particular the ciphersuites, protocol
versions, and for servers the client authentication requirements. They can be applied
with a single call to