Java SE 7 Security Enhancements

The following topics are covered:

Enhancements in Java SE 7 Update 4

Area: JCE
Synopsis: The Apple provider has been introduced, which implements a java.security.KeyStore that provides access to the Mac OS X Keychain. This is part of RFE JDK-7113349, the JDK port for Mac OS X. See the section The Apple Provider in Java Cryptography Architecture Oracle Providers Documentation

SPARC T4 specific crypto optimizations in the security area

SPARC T4 contains on-chip(native) cryptographic implementations. These implementations can be accessed by Java applications utilizing either SunPKCS11-Solaris provider (available since Java SE 5.0 release) or OracleUcrypto Provider (new in 7u4 release).

The new OracleUcrypto Service Provider accesses the underlying native(T4) crypto library without going through the PKCS11 layer and is configured by default to be the most preferred provider for Solaris OS.

See Java Cryptography Architecture Oracle Providers Documentation.

Enhancements in Java SE 7 Update 2

Area: Java Cryptography Extension
Synopsis: Public key certificates containing Elliptic Curve Cryptography (ECC) keys are parsed correctly by the SunPKCS11 JCE security provider on Solaris 11. See 7054637.

Enhancements in Java SE 7

The Java SE 7 release adds the following features:

In addition, the following enhancements are added:

Area: Security
Standard/Platform: Java SE 7
Synopsis: Security algorithm requirement have been defined for Java SE 7 that provide a list of algorithms that all implementations of Java SE 7 must support. The class summary of applicable classes (ex: java.security.Signature) has been updated to include the implementation requirements. Also, all of the requirements are listed in the Implementation Requirements section of the Standard Algorithms document.
RFE: 5001004

Area: API: JSSE
Standard/Platform: Java SE 7
Synopsis: In previous releases, except for the default algorithm, there was no standard algorithm name for KeyManagerFactory. In the Java SE 7 release, "PKIX" is exported as the standard algorithm name for KeymanagerFactory. The "PKIX" KeyManagerFactory algorithm is defined as:
A factory for X509ExtendedKeyManagers that manages X.509 certificate-based key pairs for the local side authentication according to the rules defined by the IETF PKIX working group in RFC 3280 or its successor. The KeyManagerFactory must support initialization using the class javax.net.ssl.KeyStoreBuilderParameters.
RFE: 7022855

Area: API: JSSE
Standard/Platform: Java SE 7
Synopsis: Support for TLS 1.2 has been added to the SunJSSE provider.
RFE: 6916074

Area: JSSE
Standard/Platform: JDK 7
Synopsis: The TLS renegotiation fix has been implemented. Please see TLS/SSLv3 Renegotiation Vulnerability Explained and Understanding the TLS Renegotiation Attack for more information.

Area: JSSE
Standard/Platform: JDK 7
Synopsis: Support for the Server Name Indication (SNI) extension has been added to the JSSE client in the SunJSSE provider.
RFE: 6985179

Area: SASL
Standard/Platform: JDK 7
Synopsis: NTLM is now supported as a SASL mechanism on both the client and server side. Only the authentication layer is implemented, and there is no privacy or integrations protection in communication.
RFE: 6911951

Area: Security
Standard/Platform: JDK 7
Synopsis: The implementation of PKIX has been enhanced to include an option to reject certificates if the corresponding key is not strong enough, for example MD2 hash functions or any RA key with key size less than 1024.
RFE: 6792180

Area: API: JSSE
Standard/Platform: JDK 7
Synopsis: Support for TLS 1.1 has been added to the SunJSSE provider, and the SSLv2Hello "pseudo protocol" is no longer active by default in the SunJSSE provider.
RFE: 4873177

Area: JGSS
Standard/Platform: JDK 7
Synopsis: Java now reads a keytab file whenever that keytab file changes. The file can be empty or nonexistent when the application that uses the file is started.

Area: JGSS
Standard/Platform: JDK 7
Synopsis: A default configuration file is now provided for JGSS with default krb5.conf settings for Windows and *nix systems. This makes deploying a JGSS/krb5 program very easy, especially for deploying Java applets.
RFE: 6483218, 6785456, 6552334

Area: JCE
Standard/Platform: JDK 7
Synopsis: SunPKCS11 provider now supports Raw RSA encryption, for example, Cipher.getInstance("RSA/ECB/NoPadding") calls, when the underlying PKCS11 library supports CKM-RSA_X_509 mechanism. In addition, SunPKCS11 provider recognizes "RSA" as an alias for the "RSA/ECB/PKCS1Padding" transformation when requesting a Cipher object.
RFE: 6994008

Area: JCE
Standard/Platform: JDK 7
Synopsis: The SunPKCS11 provider now supports ECB, CBC modes with PKCS5Padding for certain block ciphers. To be more specific, it supports the following transformations for Cipher.getInstance(...) calls when the corresponding PKCS11 mechanism is supported by the underlying PKCS11 library:
DES, DESede, AES, and Blowfish with CBC mode and PKCS5Padding
DES, DESede, AES with ECB mode and PKCS5Padding
DES, DESede, AES with ECB mode and NoPadding

RFE: 4898461

Area: JCE
Standard/Platform: JDK 7
Synopsis: The SunPKCS11 provider now supports AES encryption with Counter mode (CTR), (for example, Cipher.getInstance("AES/CTR/NoPadding") calls) when the underlying PKCS11 library supports CKM_AES_CTR mechanism.
RFE: 6604496

Area: JCE
Standard/Platform: JDK 7
Synopsis: Given that the relevant Solaris bug (i.e. 6306708 "CKM_SSL3_KEY_AND_MAC_DERIVE returns incorrect cipher keys for exportable ciphersuites") has been addressed in the Solaris 10 update 5 release, the SunPKCS11 provider no longer disables the following two mechanisms by default:
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE

RFE: 7036252


Copyright © 1993, 2014, Oracle and/or its affiliates. All rights reserved.