Sean Mullan's Blog: Mustang Beta is out! Here's what is new in Security

My pages	Projects	Communities	java.net

Get Involved

java-net Project

Request a Project

Project Help Wanted Ads

Publicize your Project

Get Informed

java.net Online Books

java.net Archives

Get Connected

java.net Forums

Wiki and Javapedia

People, Partners, and Jobs

Java User Groups

RSS Feeds

Search

Online Books:

Advanced Search

Sean Mullan's Blog

«More XML Signature debugging tips | Main | Java SE Security Sessions at JavaOne »

Mustang Beta is out! Here's what is new in Security

Posted by mullan on February 15, 2006 at 08:19 AM | Comments (13)

Mustang Beta (JDK 6) was released today and contains many new security features:

JSR 105, the Java XML Digital Signature API and implementation.
Native Platform GSS/Kerberos Integration. This feature allows Java GSS applications to take advantage of features in the native GSS/Kerberos implementation available on the platform.
Support for Smart Card I/O API. The Sun JDK bundles the Smart Card I/O API defined by JSR 268. It also includes a provider that implements Smart Card I/O using the PC/SC functionality of the host platform. This gives Java applications a platform independent way to communicate with Smart Cards using ISO 7816 APDUs.
Access to native PKI and cryptographic services on Microsoft Windows. Added the SunMSCAPI JCE provider which uses the Microsoft CryptoAPI (CAPI) to offer a variety of RSA cryptographic functions. It acts as a bridge between Java applications and the services offered by the default RSA cryptographic service provider available via CAPI. It provides access to X.509 certificates and RSA key pairs, it performs RSA encryption and decryption, and it creates and validates RSA signatures. It also supports a cryptographic random number generator.
Support for SPNEGO in Java GSS. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is a pseudo security mechanism that enables GSS-API peers to securely negotiate a common security mechanism to be used.
JSSE pluggability restrictions have been removed. You can now plug in 3rd party JSSE providers that implement non-standard ciphersuites.
JAAS-based authentication using LDAP. Added a JAAS login module which enables users to perform authentication using credentials stored in an LDAP directory service.
JSSE (SSL/TLS) FIPS 140 compliance. The SunJSSE provider now supports an experimental FIPS 140 compliant mode. When enabled and used in combination with the SunPKCS11 provider and an appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140 compliant.
Socket read timeouts are fully supported by SunJSSE SSLSockets. In previous releases, calling setSoTimeout() would sometimes lead to unpredictable results. This has been corrected.
Support for the Kerberos AES and RC4-HMAC Encryption Types.
Support for new Kerberos Pre-Authentication Mechanisms.
Enhancements to the implementation of PKI Certificate Path Builder and Validator. Added support for segmented and indirect CRLs and the authority information access extension, resulting in improved performance, path discovery, and PKIX compliance (RFC 3280).

See the Mustang security documentation for more details on these and all of the features of Java security.

Bookmark blog post:

del.icio.us

Digg

DZone

Furl

Comments

Comments are listed in date ascending order (oldest first) | Post Comment

Seems cool!?

Though it would be cool if there was some more info about what all those 3-5 letter acronyms actually mean in a more practical way..

For instance does this mean we can use the native user validation on Windows without purchasing a third party tool?

Cheers,
Mikael

Posted by: mgrev on February 15, 2006 at 08:46 AM

What third party tool are you using for native user validation ? Can you provide more details?

Posted by: mullan on February 15, 2006 at 12:46 PM

Really nice. Looking forward to play with it a little. Specially native kerberos authentication looks very good. I was very surprised when I was testing it in J2SE 1.4 and kerberos support wasn't native. It took me some hours to find out that Java kerberos is using his own kerberos ticket cache.

Posted by: pavelt on February 16, 2006 at 01:20 PM

Java Kerberos does allow you to use the native Kerberos ticket cache. If you have a Kerberos ticket in the native ticket cache, you can configure the JAAS Krb5LoginModule to use the ticket cache by setting the parameter "useTicketCache=true". Check out the
specification for details.

If you have any questions or problems with JGSS/Kerberos, please send us an email at java-security@sun.com

Posted by: mullan on February 28, 2006 at 06:51 AM

Will the jgss support DNS-based kdc lookup?

Posted by: tlodderstedt on March 03, 2006 at 01:19 AM

JSSE: My experiments w/ the current beta have shown that Kerberos/TLS still only works in conjunction w/ DES-encrypted tickets. Is support for 3DES and RC4 planned?

Posted by: tlodderstedt on March 03, 2006 at 02:12 AM

> Will the jgss support DNS-based kdc lookup?

Yes, we do plan to add support for KDC location using DNS.

>JSSE: My experiments w/ the current beta have shown that Kerberos/TLS still only works in conjunction w/ DES-encrypted tickets. Is support for 3DES and RC4 planned?

JSSE supports following Kerberos Cipher Suites, as per RFC 2712.

TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5

The Kerberos option is only used for ClientKeyExchange to establish the master secret using Kerberos credentials. For instance, cipher suite "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" will use Kerberos credentials to establish the master secret, with 3DES_EDE_CBC as the cipher and SHA as the hash.

For Kerberos authentication, currently only DES is used. The specification does not define it.

Posted by: mullan on March 03, 2006 at 02:09 PM

Some example of SPNEGO HTTP Negotiate that was introduced in Mustang would be very appreciated in another post ....

Any informations ?

Posted by: bjb on March 10, 2006 at 04:57 AM

Do you plan to support kerberos user-to-user authentication in jgss?

Posted by: tlodderstedt on March 17, 2006 at 05:26 AM

Although Kerberos defines user-to-user authentication, however, GSSAPI applications cannot use it. There is no Kerberos V GSS-API mechanism support for user-to-user authentication, it's not been defined as yet. This is being worked out at IETF.

We will look into providing support for this feature, once it's specified and standardized.

Posted by: mullan on March 17, 2006 at 01:32 PM

I'd like to echo bjb's request for some SPNEGO HTTP Negotiate examples.

Posted by: mets on June 17, 2006 at 08:33 AM

I have successfully used the windows native ticket cache for Kerberos authentication (using JDK 1.5), but I had to modify a windows registry (allowtgtsessionkey ) parameter to do this. Will JDK 6 get around this limitation? See http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

Thanks, Rich

Posted by: awhig on September 13, 2006 at 01:40 PM

Rich,

No, JDK6 can't get around this limitation in Windows. There is no workaround.

Mets,

We now have an
Advanced Java GSS Security Programming guide that includes sample code for SPNEGO and HTTP/SPNEGO authentication.

BTW, go Mets! :)

Posted by: mullan on September 19, 2006 at 11:03 AM

Powered by
Movable Type 3.01D

java.net RSS Feeds