Java 17 to 21: A Showcase of JDK Security Enhancements
Summary
TLDR本次演讲由Oracle的Java团队开发者倡导者Anna主讲,她分享了Java安全领域的最新进展。Anna首先介绍了Java安全组件,包括语言、加密、公钥基础设施、安全服务API等,并强调了Java平台持续改进的重要性。她详细讲解了从JDK 17到JDK 21的安全变化,包括对弱算法的限制、新的加密算法的引入、API的改进以及对量子计算机攻击的防护措施。Anna还提到了Java安全配置文件的更新,以及如何通过这些变化来提高应用程序的安全性。最后,她鼓励开发者关注Java安全相关的资源,并参与到Java社区的贡献中。
Takeaways
- 🔒 Java 安全性不断进化,以应对算法弱化和潜在的量子计算机威胁。
- 🌟 JDK 17 引入了新的安全特性,包括对安全算法的增强和对弱算法的限制。
- 🔐 安全管理器(Security Manager)在 JDK 17 中被弃用,但仍然支持,直到 JDK 18。
- 🛡️ JDK 18 禁用了 SHA-1 和某些 TLS 算法,以提高安全性。
- 🔑 JDK 20 和 21 提供了更大的密钥尺寸,默认情况下增强了加密算法的安全性。
- 🌐 引入了后量子密码学算法,如 SSS-LMS 和 XMSS,以抵抗量子计算机攻击。
- 🔄 JDK 21 引入了新的密钥封装机制 API(CEM),提高了对称密钥加密的效率。
- 📝 Java 安全配置文件(java.security 文件)允许开发者自定义安全属性。
- 🔄 JDK 11 和 17 也支持某些 JDK 21 的安全特性,这些特性被回退(backported)。
- 🔍 Java 安全工具(如 keytool 和 jarsigner)提供了新的功能和警告,以帮助开发者更好地管理密钥和证书。
- 📖 Java 安全指南和路线图提供了关于 JDK 安全性变化的详细信息和测试指南。
Q & A
在Java团队中,Anna的主要职责是什么?
-Anna在Java团队中担任开发者倡导者,她喜欢使用Java进行编程,并且也热衷于与Kubernetes一起工作。
Java安全组件包括哪些部分?
-Java安全组件包括语言层面的安全特性、加密组件(JCA)、公钥基础设施(PKI)、安全服务API(GSS-API)、传输层安全性(TLS/DTLS)以及各种安全工具。
为什么开发者需要关注JDK的安全更新?
-开发者关注JDK安全更新是因为随着时间的推移,我们使用的算法可能会变弱并被更容易地利用。JDK的持续改进使得开发者能够构建更安全的应用程序。
JDK 17之后,有哪些安全相关的变更?
-JDK 17之后,有多项安全相关的变更,包括对加密算法的增强、TLS和DTLS的改进、安全管理器的废弃等。
什么是SSS-LMS签名系统?
-SSS-LMS(Lattice-based Multi-signature Scheme)是一种基于哈希的签名方案,它是量子抗性的签名算法之一,已经在OpenJDK中实现。
为什么SHA-1在Java 18中被禁用?
-SHA-1在Java 18中被禁用是因为NIST在2011年宣布了SHA-1的退役计划,并建议到2030年逐步淘汰其在数字签名中的使用。
在Java 11和Java 17中,有哪些安全相关的API改进?
-Java 11和Java 17中,安全相关的API改进包括对TLS和DTLS签名方案的自定义API、新的系统属性用于启用或禁用XML签名处理模式等。
如何获取JDK安全配置文件的更多信息?
-可以通过访问dev.java.net、inside.java以及YouTube上的Java频道来获取JDK安全配置文件的更多信息。
开发者如何为Java社区做出贡献?
-开发者可以通过撰写文章并提交到dev.java.net的仓库来为Java社区做出贡献,这些文章可以是关于Java的高级概念,也可以是基础概念。
在JDK 21中,如何使用新的密钥封装机制API(CEM)?
-在JDK 21中,新的密钥封装机制API(CEM)允许发送方使用接收方的公钥创建一个包含随机对称密钥的密文,并发送给接收方。接收方使用私钥解密这个密文以获取共享密钥。
Outlines
📅 安全讲座介绍
本次安全讲座由Anna主持,她是Oracle Java团队的开发者倡导者。Anna介绍了自己对Java编程和Kubernetes的热爱,以及她在过去的工作中对安全性的重视。她强调了Java平台不断改进的重要性,以确保应用程序的安全性。Anna还提到了Java安全组件,包括语言、加密、PKI、GSS API、TLS/DTLS和签名JAR文件等。
🔐 Java安全组件详解
Anna详细介绍了Java安全组件,包括Java加密架构(JCA)、公钥基础设施(PKI)、通用安全服务应用程序接口(GSSAPI)和传输层安全性(TLS/DTLS)。她还提到了Java安全工具,如密钥和证书管理工具(keytool)和JAR签名工具(jarsigner)。Anna强调了Java安全不仅仅是API,还包括运行时和工具。
🔒 加密算法的演进
Anna讨论了随着时间的推移,算法可能会变得脆弱并被利用。她提到了Java开发工具包(JDK)如何通过引入新的加密算法来增强安全性,例如在JDK 20和21中引入了更大的密钥尺寸。她还提到了量子计算机对现有数字签名方案的潜在威胁,以及IT行业如何致力于创建抗量子计算的加密算法。
🚫 限制和禁用弱算法
Anna解释了Java安全团队如何限制和禁用一些已知的弱算法,以保护用户免受潜在的安全威胁。她提到了SHA-1的禁用,以及在JDK 9中移除弱TLS算法的措施。Anna还提到了如何通过Java安全配置文件来设置限制规则,以及如何通过API来禁用这些弱算法。
🛠️ API改进和安全管理器的弃用
Anna讨论了JDK中API的改进,特别是与安全相关的API。她提到了安全管理器(Security Manager)在JDK 17中的弃用,并解释了如何通过临时启用来适应这一变化。Anna还介绍了新的API,如用于获取密钥存储属性的API,以及用于自定义TLS和DTLS连接的签名方案的API。
🔑 对称密钥的新加密技术
Anna介绍了JDK 21中引入的新密钥封装机制API(CAME),这是一种使用公钥加密来安全传输对称密钥的方法。她解释了CAME的工作原理,以及如何使用它来提高数据传输的效率。Anna还提到了XML签名API的改进,以及新的系统属性,用于启用或禁用XML签名处理模式。
💻 操作系统特定的安全特性
Anna讨论了JDK如何适应不同操作系统的安全特性。她提到了Windows和Mac OS中对密钥存储的改进,以及如何通过JDK提供的工具来管理这些安全特性。Anna还提到了JDK证书文件(keytool)的更新,以及如何使用这些工具来提高安全性。
🔍 监控和社区贡献
Anna强调了监控Java应用程序安全属性的重要性,并介绍了如何使用JDK飞行记录器(Flight Recorder)来跟踪这些属性的变化。她还提到了Java社区的贡献,鼓励开发者分享他们的知识和经验。Anna提供了一些资源链接,以便开发者可以了解更多关于Java安全的信息。
Mindmap
Keywords
💡Java安全
💡JDK版本
💡加密算法
💡量子计算机
💡安全配置文件
💡API改进
💡密钥封装机制
💡安全事件
💡安全工具
💡安全社区贡献
Highlights
Anna, a developer advocate at Oracle, discusses Java security enhancements from JDK 17 to 21.
Java security is crucial for building secure software and keeping end users happy.
Java platform continuously improves to allow developers to build secure applications.
JDK releases introduce new features every 6 months, including security enhancements.
The Security Manager was deprecated for removal in JDK 17 due to its brittle permission model and poor performance.
JDK 20 and 21 introduced larger key sizes for stronger encryption by default.
Post-quantum cryptographic algorithms like SSS-LMS and XMS are being incorporated into Java security components.
Java security components include language features, cryptography, PKI, GSS API, TLS, and various tools.
JDK security configuration files allow developers to customize security properties and restrictions.
Weak algorithms like SHA-1 and weak TLS algorithms have been restricted or disabled in recent JDK releases.
New APIs for key encapsulation mechanism (KEM) and XML signatures have been introduced in JDK 21.
JDK security roadmap provides advanced notice of changes, allowing developers to test and prepare for updates.
Some JDK security changes are backported to earlier versions like JDK 8, 11, and 17.
Java security tools like keytool and jarsigner have been improved for better security practices.
Developers can contribute to the Java community by sharing their knowledge on dev.java.net.
Java security resources include the Java security guide, Java security standard algorithm names, and Java security roadmap.
Transcripts
[Music]
thank you everyone for joining a
security talk at 400
p.m. it's a little late in the afternoon
for some security topics um however I'm
grateful that you're here hope you will
enjoy this presentation until the end
that you will learn some useful things
that you can take in your daily
job and I'm looking forward to your
questions um at the end of the
presentation first of all I'm Anna
currently working as a developer
advocate in the Java team at Oracle I
enjoy programming with Java probably
like many of you since you are in this
room today and of course I enjoy working
with kubernetes as well now apart from
these two passions um I also like
security um in my past roles I like
security because I had to because it's
great to build secure software you have
your end users happy when they can
safely use their
applications uh so kind of security like
for many of you is embedded in the
practices that I have when I
code now when we talk about Java we I
hope that all of us in this room are
familiar with the new release Cadence or
you get to see many features delivered
every 6 months that you can try uh that
you can give uh um a feedback on and
these features are from multiple areas
many of them on language others on
performance and someone security yet
while these features get like Prime Time
your daily life can be impacted by those
many many enhancements that are not
necessarily formulated in a Jeep and
this presentation will show some of
those significant changes from 17 to 21
so if I am to ask you and because this
is a big room I cannot see all of you
but if I to ask you the question in the
slide can you shout at
me what do you think changed a change
that happened after jdk
17 with the security and jdk
anything just shout
it
records records that's a language
feature
security manager Bingo that's a very
good one the application for removal
we're going to talk a bit about it
anything else crypto
crypto that's a broad area we're going
to talk about it too anything
else
what I didn't understand you can you
please shout it h there TS TLS yes TLS
enhancements yes all great
answers and many more because we have 50
minutes for this presentation so I had
to fill it with something but the reason
why we care so much about jdk security
as developers is because over time the
algorithms that we are that we're using
in our applications weaken and can be
exploited more easily and it happens
that a GDK release take for example GDK
8 can Outlast the lifetime when these
algorithms are viable I mean jdk8
there's still many applications running
on those so what happens is that the
Java platform the jdk gets continuously
improved so that you can build secure
applications You're Building modern
applications but still they have to be
secured you're choosing Java to evolve
your applications because you know it's
secure that's one of the main things
that comes to your mind besides the
beautiful language there are many
beautiful languages that you can utilize
but you're also choosing them because
choosing Java because of security and of
course it's good to say to the business
Java is
secure so throughout time I've seen that
well people can think of java
security um as was some broad term so
what is Java security well Java security
has many components and since I'm going
to reference them in the presentation I
just want you to have a picture in your
head when I'm talking about them so here
they are the Java security components
are in the slide and of course they
start somebody said records of course it
starts with the
language um well but in the case of
security itself that is in the jdk the
higher level abstractions like you can
see here in the slide they are built on
top of lower layer Concepts so this is
why it's this like a brick wall
diagram and of course at the bottom the
Java language anguage is designed to be
type safe and easy to use so it has many
features that you probably use in your
application but the foundation of java
security well is based on
cryptography so the cryptography
component the Java cryptography
architecture
jca um or JC the Java cryptography
extension enables you to encrypt and
decrypt data in Java manage Keys sign
and authenticate message
and much more now we have also pki that
contains apis and implementations for
validating and building certification
paths or certification chains for only
many of your applications use
certificates and of course a way to
store those keys and
certificates next we go with how the
programs can access Security Services
via this lovely acronym which I'm not
going to read from the slide because I'm
terrible reading that acronym but we can
talk afterwards what it means it stands
for generic Security Service application
program interface that's why GSS upy and
the jdk contains such a GSS up
implementation of curve Ross now the
transport layer security which was
mentioned
earlier that
component is containing apis for TLS and
dtls and of course we're signing jars so
sign jars allow you to apply digital
signatures to the jar files in order to
ensure that you're sharing those with
some data integ the data you have in
those is shared with data integrity and
authenticity now the next components
they're
together because there are a series of
Frameworks and apis that are meant for
authentication and
authorization and of course probably
some of you have worked with XML
signatures which are a component uh well
this component that contains an API
implementation for generating and
validating XML
signatures but Java security is more
than just apis built on top on the
runtime it's also tools because
sometimes you need tools in your tool
chains to maybe I don't know validate
your certificates or and of course if
the jdk comes with them why not use them
since they're there so you get a small
set of tools that can help you set
security
policies probably many of you have
utilized in this lifetime key tool at
least
experimentally it's for managing key
stores keys and certificates of course
we have jar signer the one that we
talked a little bit earlier for sign
jars that helps of course signing those
jars and the last tab are actually the
tools for working with
kbros um but since Kos is not so touched
uh I'll leave them in peace for the
moment so hope you're feeling happy to
explore what happened with jdk
security and we're going to start with
the happy Parts modern cryptographic
algorithms now I started this
presentation telling you that over time
most or all algorithms weaken so they
can be exploited more easily now if you
get strong args you can continuously um
benefit of a stronger foundation for
your
application larger key sizes have been
delivered in jdk um 20 and 21 so you can
benefit of larger key sizes by default
like in case that when you're relying
for on the defaults and you're just
instantiating something um instantiating
a key without specifying the size
although that many examples over the
internet can have the size but if you
forget about that you don't need to
worry because the GDK can build that
securely at its best for you so you can
have here a table of what changed over
time this is good because this change
protects your data and communication by
using mathematical techniques that
ensure confidentiality integrity and
authenticity
better yet the tides of security threats
increase with the advancement of
technology and if you were the Kino this
morning
you probably saw the very nice keynote
about AI how AI can help us but those
were the good parts Ai and of course
computers that have large powerful cap
and large powerful
capabilities well they can be
instrumented for the wrong as well so if
large scale quantum computers are ever
built just this is a
hypothesis all widely used digital
signature schemes like
DSA RSA ecdsa and so on have the
potential to be broken that's because
the power of computation increased so
the IT industry has worked towards the
goal of creating postquantum
cryptographic algorithms that are
designed to be safe against such
powerful capabilities to
compute so as these postquantum
cryptographic algorithms progress and
mature of course they become standards
and are gradually Incorporated with the
Java security
components so we got the first post
Quantum cryptographic algorithms in open
jdk and you have here the explanation on
the slide so that you would know what it
stands for when you read
SSS
LMS so the lat Malla signature system is
one of the um one of these algorithms
and is the stateful health uh is a
stateful hash based algorith it's all
based on the hash based signature scheme
HPS that's what it's coming from the
hierarchical signature system is the
multi- three variant of the previous one
that's why it's SSS
LMS and most importantly it's one of the
two Quantum resistant signature
algorithms that have been standardized
there is another one it's called
XMS uh s it's similar but it's last
popular so the popular variant was
chosen um for the use case of such an
algorithm uh well it's used for software
and or firware
signing um and requires for the key and
signature generation to be performed in
Hardware cryptographic modules so that
they because those they do not allow
secret keying material to be exported
even in encrypted form that's why it
makes it quantum resistant it's hard to
export that from the
hardware so if we take a step back what
was done in the jdk right if um the um
signature generation happens on Hardware
what's happening in the jdk so when in
the jdk side the signature verification
implementation was
done so while the generation happens on
Hardware you can verify that signature
in the
jdk um and of course
you can have here in the slides the
explanations on why these this algorithm
is very great another thing that I need
to tell you is that this belief that the
security of LMS because it depends on
the security of the underlying hash
functions well it is believed that this
security is will never be broken by the
development of large scale computer
quantum computers hence why it's so
loved and
adopted now how does that look in your
code so how how do you verify a
signature with this new algorithm a
little bit of code in the slide just to
show you how it looks like you can use a
key Factory implementation available
from a provider now in this case if
you're running it with open jdk
distribution it probably will choose the
sound provider because that's the first
one that it finds it matches it and that
one will read an SSS LMS public key from
a stem a serialized
format so that's Reading part and of
course you need to verify the validity
and probably you've wrote this kind of
code sometimes to verify the validity of
a signature that uses SSS slms so the
thing that changed of course is the
algorithm being supported something
that's coming in 22 Key tool can also
operate with this one as well right now
it's available at the API level but in
22 jk22 it will have ke tool will have
that as a feature too so this one was
was one of the Breakthrough changes of
21
but besides the modern cryptographic
algorithms bringing new on the jdk
restricts the algorithms that are
weakened however there are multiple ways
to limit the usage of vulnerable
algorithms either the jav Java limits or
disables them to ensure that you are
running on a robust environment for your
not only for your own development but
also for your end users so what was
restricted some people probably saw that
kind of message when they tried to
validate a jar that was signed with
shaan and that it was having its
signature uh generated before 2019 1 of
January in 2019 so that's get a you get
a warning on that what's the story
behind it why Shawan jars were disabled
by default in Java 18 as the slide says
well it happens that in
2011 the National Institutes of
standards and Technology nist formally
dicated shaan usage and kind of told the
people well you know by
2030 you should kind of phased out the
usage from digital signatures that news
came two years later in
2013 so in consequence shaan was
disabled in TLS server certificates and
XML signatures was not just here now in
order to make sure that people are not
using this any
further jdk security team thought it
would be better if your
chars if you try to sign your chars with
this algorithm well to get the warning
that well um it's not good for you so
there's a a way to maintain uh backwards
compatibility of course for some of the
JS so if your jar was time stamped prior
to
20190101 We Shall one you get kind of
get away with it but uh if you have like
a very strict security team they can
alter a little bit the security rules
for you and they can impediment it so
I've seen cases when people went even
stricter given the threat of Shawan
usage so they restricted their security
properties even more we're going to talk
about that in a little
while so this was
one um another one delivered a lot
actually more delivery in 19 and 20
we're disabling weak TLS algorithms so
somebody mentioned TLS yes there were
enhancements but also disabled things
were disabled with the
TLs so in order to make it harder to use
week 3 3D Cipher suits they have been
removed from uh the TLs Cipher suits in
jk9 next 3s and arc4 they're also not
very safe um and because they were not
very safe also their Amon thls
ecdh ecdh Cipher suit also was disabled
because it doesn't preserve forward
secrecy and also it was rarely used in
practice sometimes these algorithms
they're not just insecure but they also
used in practice so disabling them is
not that difficult and well tls1.0 T and
TLS 1.1 they were disabled from April
2021 but as of J K2 dtls 1.0 is also
disabled because applications by the way
should use dtls 1.2 protocol which is
more secure and supported by the jdk but
in case that you have
issues yes you can also enable the one
that has been disabled you can reenable
it in the Java security configuration
file but that's something that you do at
your own risk so there's always a way to
alter the Java security file
but that's at your own risk when the um
of course the guidance says
different another thing that
came in the disabled algorithms area
restriction rules so how does these
rules are being put in application how