• Oracle Technology Network
• Software Downloads
• Documentation

Search

Feature Enhancements added to Java

Security Contents

This page describes and lists security features and enhancementsadded to Java by major version number, from v1.4 through v6.

NOTE: The APIs and features described in this documentare subject to change.

Java Generic Security Services (Java GSS) and KerberosEnhancements for Java SE 6

The following enhancements were added to the Java GSS/Kerberosimplementation in Java SE 6.

• Support for AES encryption type
  
  Java SE 5.0 supports DES and Triple DES encryption type, withfollowing aliases:
  
  des-cbc-md5
des-cbc-crc
des3-cbc-sha1

Starting from Java SE 6, support for AES encryptiontype (AES128 and AES256) in Java GSS/Kerberos is available. Thisimproves interoperability of the Java SE Kerberos implementationwith other Kerberos implementations, such as Solaris 10 and MITKerberos.
  
  AES encryption type is specified in the Kerberos configuration fileunder thelibdefaults section. It is specified asfollows, with following tags:default_tkt_enctypes,default_tgs_enctypes, permitted_enctypes.
  
  (AES128 encryption type)
  
  aes128-cts
aes128-cts-hmac-sha1-96

(AES256 encryption type)
  
  aes256-cts
aes256-cts-hmac-sha1-96

NOTE: The JCE framework within JDK includes anability to enforce restrictions regarding the cryptographicalgorithms and maximum cryptographic strengths available toapplications. Such restrictions are specified in "jurisdictionpolicy files". The jurisdiction policy files bundled in Java SElimits the maximum key length. Hence, in order to use AES256encryption type, you will need to install the JCE crypto policywith the unlimited version to allow AES with 256-bit key.
  
  For example, thelibdefaults section in theconfiguration file might include the following.
  
  default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5des-cbc-crc

default_tkt_enctypes is used to specifythe encryption types to use for the session key in theticket-granting-ticket. It is used by the client to restrict theencryption types of session keys that will be used to communicatewith the KDC. The default value isdes-cbc-md5 des-cbc-crcdes3-cbc-sha1 aes128-cts .
  
  default_tgs_enctypes is used to specify the encryptiontypes to use for the session key in service tickets. It is used bythe client to restrict the encryption types of session keys thatare shared by the client and server. The default value isdes-cbc-md5 des-cbc-crc des3-cbc-sha1aes128-cts.
  
  permitted_enctypes is used to specify the encryptiontypes permitted to be used by a service. It is used by the serverto restrict the encryption types of session keys that it willaccept. The default value isdes-cbc-md5 des-cbc-crcdes3-cbc-sha1 aes128-cts.
• Support for RC4-HMAC encryption type
  
  Java SE 5.0 already supports DES and Triple DES encryption type, withfollowing aliases:
  des-cbc-md5
des-cbc-crc
des3-cbc-sha1

Starting from Java SE 6, support for RC4-HMACencryption type in Java GSS/Kerberos is available. This improvesinteroperability of the Java SE Kerberos implementation with otherKerberos implementations, such as Windows, Solaris 10 and MITKerberos. Windows Active Directoiory supports RC4-HMAC as thedefault Kerberos encryption type.
  
  RC4-HMAC encryption type is specified in the Kerberos configurationfile under thelibdefaults section. It is specified asfollows, with following tags:default_tkt_enctypes,default_tgs_enctypes, permitted_enctypes.

rc4-hmac
arcfour-hmac
arcfour-hmac-md5

For example, the libdefaults section in theconfiguration file might include the following.
  
  default_tkt_enctypes = aes128-cts des3-cbc-sha1 rc4-hmacdes-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 rc4-hmacdes-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-md5des-cbc-crc

default_tkt_enctypes is used to specifythe encryption types to use for the session key in theticket-granting-ticket. It is used by the client to restrict theencryption types of session keys that will be used to communicatewith the KDC. The default value isdes-cbc-md5 des-cbc-crcrc4-hmac des3-cbc-sha1 aes128-cts

default_tgs_enctypes is used to specify the encryptiontypes to use for the session key in service tickets. It is used bythe client to restrict the encryption types of session keys thatare shared by the client and server. The default value isdes-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1aes128-cts.
  
  permitted_enctypes is used to specify the encryptiontypes permitted to be used by a service. It is used by the serverto restrict the encryption types of session keys that it willaccept. The default value isdes-cbc-md5 des-cbc-crc rc4-hmacdes3-cbc-sha1 aes128-cts.
  
  
• Support for SPNEGO in Java GSS
  
  Java SE now supports SPNEGO mechanism in Java GSS.
  
  Java GSS is a framework that can support multiple securitymechanisms; however GSS-API does not prescribe the method by whichGSS-API peers can establish whether they have a common securitymechanism. The Simple and Protected GSS-API Negotiation (SPNEGO)mechanism is a pseudo security mechanism that enables GSS-API peersto securely negotiate a common security mechanism to be used. TheSPNEGO protocol is used to negotiate which security mechanismshould be adopted.
  
  Currently Java GSS applications specify a unique object identifier(OID) to select the underlying security mechanism. For e.g. JavaGSS applications specify Kerberos mechanismOID"1.2.840.113554.1.2.2 to use Kerberos mechanism.OidmechOid = new Oid("1.2.840.113554.1.2.2");
  
  To select SPNEGO security mechanism, Java GSS applications wouldneed to specify the SPNEGO mechanismOID"1.3.6.1.5.5.2".Oid mechOid = newOid("1.3.6.1.5.5.2);
  
  Support for SPNEGO improves interoperability with Microsoftproducts. SPNEGO protocol is heavily used to interoperate withMicrosoft server over HTTP, to support HTTP-Based Cross-PlatformAuthentication via the Negotiate Protocol. Java SE now supportsSPNEGO authentication scheme in HTTP as well. Please check list ofnew networking features for Java SE 6.
  
  
• Support for new Pre-Authentication mechanisms
  
  Java SE now includes support for the new pre-authenticationmechanisms.
  
  Kerberos is a protocol for verifying the identity of principals.The Kerberos protocol provides a mechanism calledpre-authentication for proving the identity of a principal and forbetter protecting the long-term secret of the principal.
  
  Kerberos specification defines a framework for Kerberospre-authentication mechanisms. Lastest Kerberos specificationdefines new pre-authentication mechanisms to notify the clientwhich key to use, salt updates, and other additional parameters.The new pre-authentication mechanisms indicate a requirement foradditional pre-authentication.
  
  With the support of new pre-authentication mechanisms, JavaGSS/Kerberos client can now handle the salt value updates whenrequired.
  
  
• Native platform GSS integration
  

  This feature allows Java applications to take advantage offeatures in native GSS implementation available on the platform. Toenable Java GSS to delegate to the native GSS library and its listof native mechanisms, set the system property"sun.security.jgss.native" to true. When enabled, Java GSS wouldlook for native GSS library using the operating system specificname, e.g. Solaris: libgss.so vs Linux: libgssapi.so. If thedesired GSS library has a different name or is not located under adirectory for system libraries, then its full path should bespecified using the system property "sun.security.jgss.lib".

  For Java SE 6, the native GSS support is limited to Solaris andLinux. Setting these system properties on platforms which nativeGSS integration is not supported will be ignored.

  Unlike the default Java GSS implementation which relies on JAASKerberosLoginModule for initial credential acquisition, when usingnative GSS, the initial credential should be acquired beforehand,e.g. kinit, prior to calling JGSS APIs.

  In addition, when performing operations as a particular Subject,e.g. Subject.doAs(...) or Subject.doAsPrivileged(...), theto-be-used GSSCredential should be added to Subject's privatecredential set. Otherwise, the GSS operations will fail since nocredential is found.
  

• JAAS Login Entry Names Changes
  
  The JAAS login entry names for both SunJSSE and JGSS are unified,and can be specified separately for different mechanisms. ForKerberos 5, the names are

  com.sun.security.jgss.krb5.initiatecom.sun.security.jgss.krb5.accept

Java Generic Security Services (Java GSS) and KerberosEnhancements for Java SE 5.0

The following enhancements were added to the Java GSS/Kerberosimplementation in Java SE 5.0.

• Support for Triple DES encryption type.
  Prior to Java SE 5.0, only the DES encryption type was supported. Java SE5.0 supports both DES and Triple DES encryption type. This improvesinteroperability of the Java SE Kerberos implementation with otherKerberos implementations, such as Solaris 10 and MIT Kerberos.

  Triple DES encryption type is specified in the Kerberosconfiguration file under the "libdefaults" section. It isspecified as "des3-cbc-sha1" with following tags:default_tkt_enctypes,default_tgs_enctypes,permitted_enctypes. "dec3-cbc-sha1" has thefollowing aliases:

  des3-hmac-sha1des3-cbc-sha1-kddes3-cbc-hmac-sha1-kd

  For example, the libdefaults section in the configuration filemight include the following.

  default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crcdefault_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crcpermitted_enctypes   = des3-cbc-sha1 des-cbc-md5 des-cbc-crc

  default_tkt_enctypes is used to specify the encryptiontypes to use for the session key in the ticket-granting-ticket. Itis used by the client to restrict the encryption types of sessionkeys that will be used to communicate with the KDC. The defaultvalue is "des-cbc-md5 des-cbc-crc des3-cbc-sha1"

  default_tgs_enctypes is used to specify the encryptiontypes to use for the session key in service tickets. It is used bythe client to restrict the encryption types of session keys thatare shared by the client and server. The default value is"des-cbc-md5 des-cbc-crc des3-cbc-sha1".

  permitted_enctypes is used to specify the encryptiontypes permitted to be used by a service. It is used by the serverto restrict the encryption types of session keys that it willaccept. The default value is "des-cbc-md5 des-cbc-crcdes3-cbc-sha1".

• TCP vs. UDP Preference Configuration
  Java SE now supports the use of the "udp_preference_limit"property in the Kerberos configuration file (krb5.conf).

  When sending a message to the KDC, the Java SE Kerberos librarywill use TCP if the size of the message is aboveudp_preference_list. If the message is smaller thanudp_preference_list, then UDP will be tried at most threetimes. If the KDC indicates that the request is too big, the JavaSE Kerberos library will use TCP.

• IPv6 Support in Kerberos
  Java SE now supports IPv6 addresses in Kerberos tickets. Prior toJava SE 5, only IPv4 addresses were supported in tickets.
• TGT Renewals
  TheJavaAuthentication and Authorizaton Server (JAAS) Kerberos loginmodule in JDK 5.0,Krb5LoginModule, now supports Ticket Granting Ticket(TGT) renewal. This allows long-running services to renew their TGTautomatically without user interaction or requiring the services torestart.

  With this feature, ifKrb5LoginModule obtains anexpired ticket from the ticket cache, the TGT will be automaticallyrenewed and be added to Subject of the caller who requested theticket. If the ticket cannot be renewed for any reason, thenKrb5LoginModule will use its configured callback handlerto retrieve a username and password to acquire a new TGT.

  To use this feature, configureKrb5LoginModule to usethe ticket cache and set the newly introducedrenewTGToption totrue. Here is an example of a JAAS loginconfiguration file that requests TGT renewal.

  server {  com.sun.security.auth.module.Krb5LoginModule required        principal=principal@your_realm        useTicketCache=true        renewTGT=true;};

  Note that ifrenewTGT is set to true, thenuseTicketCache must also be set to true; otherwise, itresults in a configuration error.
• Login Entry Names for SunJSSE
  In JDK 5.0, the SunJSSE provider has added support for the Kerberoscipher suites, as described inRFC 2712 and the sectionKerberos Requirements in the JSSEReference Guide. The following JAAS loginconfiguration index names are reserved for this feature.

  com.sun.net.ssl.servercom.sun.net.ssl.client

  When a JSSE application uses the Kerberos cipher suites withoutexplicit JAAS program, the SunJSSE provider will use these indexnames to find and configure the JAAS login module to acquire thenecessary Kerberos credentials. For example, such an applicationmight have the following JAAS configuration file.

   com.sun.net.ssl.server {  com.sun.security.auth.module.Krb5LoginModule required        principal=service_principal@your_realm        useKeyTab=true        keyTab=keytab_name        storeKey=true;};

  If the entry is not found, the default "other" index name will beused. The service name for TLS is "host". For example, a TLSservice running on a machine named "raven.example.com" in the realmnamed "KRBNT-OPERATIONS.EXAMPLE.COM" would have the serviceprincipal name

  host/raven.example.com@KRBNT-OPERATIONS.EXAMPLE.COM

  There are no restrictions on the TLS client; it may use any validKerberos principal name.

  When a JSSE application uses the Kerberos cipher suites withexplicit JAAS program, it can use any index name, including theones listed above.

New Features in Java GSS for Java 2 SDK, Standard Edition, v1.4.2

• Configurable Kerberos Settings
  The Kerberos Key Distribution Center (KDC) name and realm settingsare provided in the Kerberos configuration file or via the systempropertiesjava.security.krb5.kdc andjava.security.krb5.realm. In previous releases,changes to the Kerberos configuration values would only take effectwhen an application was restarted.

  In the 1.4.2 release of the Java platform, a new boolean optionrefreshKrb5Config can be specified in the entry forKrb5LoginModule in the JAAS configuration file. Ifthis option is set totrue, the configuration valueswill be refreshed before thelogin method of theKrb5LoginModule is called.

• Support for Slave Kerberos Key Distribution Center
  Kerberos allows the use of slave KDCs so that if the master KDC isunavailable, the slave KDCs will respond to user requests. Inearlier releases of the Java SE, Sun's implementation of Kerberostried only the master KDC and would give up if there was noresponse within the default KDC timeout specified in the Kerberosconfiguration file, or 30 seconds if no timeout had been specified.

  With this 1.4.2 release, Sun's implementation of Kerberos willretry with the slave KDC(s), if they are specified. The slave KDCscan be specified in the Kerberos configuration file or via a listof KDCs separated by a colon (:) in the systempropertyjava.security.krb5.kdc.

• Support TCP for Kerberos Key Distribution CenterTransport
  Sun's implementation of Kerberos implements Kerberos version 5according toRFC1510 and uses UDP transport for ticket requests. A new Internetdraft updates this RFC. One of the added features is requiredsupport for TCP as a transport in addition to UDP. As a result, incases where Kerberos tickets exceed the UDP packet size limit, theKDC would return an error code indicating that the request shouldbe resent over TCP.

  In the current 1.4.2 release, Sun's implementation of Kerberosnow supports automatic fallback to TCP. Therefore, if the Kerberosticket request using UDP fails and the KDC returns the error codeKRB_ERR_RESPONSE_TOO_BIG, TCP is automatically thedefault transport.

• Kerberos Service Ticket in the Subject's PrivateCredentials
  The Kerberos service ticket is now stored in the Subject's privatecredentials. This change allows application developers access tothe service ticket so that it can be used outside the JGSS (forexample, in native applications or for proprietary uses). Inaddition, the service ticket can now be reused if the applicationtries to establish a security context to the same service again.The service ticket should be valid for it to be reusable.

  Previously, when using Java Generic Security Services (JGSS)over Kerberos V5, if theuseSubjectCredsOnly property was set to true,the Ticket Granting Ticket (TGT) was retrieved from the Subject andused to establish a GSS Security context. The service ticketobtained was not stored in the Subject. Now the service ticket isalso stored in the Subject ifuseSubjectCredsOnly istrue.

  If a client application searches through the Subject's privatecredentials, in previous releases it would find only the TGT. As ofthis release, it also will find any Service ticket(s) obtained.

  The bug report associated with this change is 4688866.