The SunJSSE implementation now supports a number of additional
ciphersuites. They include ciphersuites using AES as a symmetric cipher
and ephemeral Diffie-Hellman with RSA authentication (DHE_RSA).
For details see the
JSSE reference guide.
In addition to the simple X.509 based trustmanager previously available
in the SunJSSE provider, it now supports a second, PKIX compliant trust
manager. It is implemented utilizing the default CertPath PKIX
implementation. See the
JSSE reference guide
for more information.
The PKIX CertPath implementation in the Sun provider has been made
compliant with the recently published RFC 3280.
A number of performance related changes have been made to the
certificate and PKIX implementation in the Sun provider. Depending on
the usage scenario, performance can be substantially improved, in some
case execution may be several times as fast as in previous releases.
One of these changes is the addition of caching to the LDAPCertStore
implementation, which can be configured as described in the
CertPath API Programmer's Guide.
Limited support for the CRL DistributionPoints extension is now
available in the Sun PKIX implementation. This allows the implementation
to automatically locate and download CRLs in some cases, eliminating the
need for manual configuration. This feature is disabled by default for
compatibility reasons. For more information see the
CertPath API Programmer's Guide.
Added Counter mode (CTR) support for all block ciphers in the SunJCE
provider. For details see the
JCE reference guide.
Security enhancements for the
JavaTM 2 SDK, Standard Edition, v 1.4.1
include the following:
Three new security tools were added in the 1.4.1 release of the Java
2 platform: kinit, klist, and
ktab. These
tools help users obtain, list and manage Kerberos tickets. See the
Security Tools
section of the
JavaTM 2 SDK Tools and Utilities
documentation for more information.
The Sun SecureRandom implementation now
also makes use of an operating system-provided entropy
source on Windows platforms, which can improve the
startup time of cryptographic applications considerably.
Edit the <java.home>/lib/security/java.security
to control this feature.
New root CA certificates with aliases baltimorecodesigningca,
gtecybertrustglobalca, baltimorecybertrustca, gtecybertrustca, and
gtecybertrust5ca have been added to the
<java.home>/lib/security/cacerts keystore file. See
The
cacerts Certificates File.
Security enhancements for the previous release,
JavaTM 2 SDK, Standard Edition, v 1.4
included the following:
The JavaTM Cryptography Extension
(JCE),
JavaTM Secure Socket Extension
(JSSE), and
JavaTM Authentication
and Authorization Service (JAAS) security features have now been
integrated into the Java 2 SDK, v 1.4 rather than being optional packages.
There are two new security features:
The JavaTM GSS-API
can be used for securely exchanging messages between communicating
applications using the Kerberos V5 mechanism.
The JavaTM Certification Path API
includes new classes and methods in the java.security.cert
package that allow you to build and validate certification paths
(also known as "certificate chains").
Due to import control restrictions, the JCE jurisdiction policy files
shipped with the Java 2 SDK, v 1.4 allow "strong" but limited cryptography
to be used.
A version of these files indicating no restrictions on
cryptographic strengths is available.
The JSSE implementation provided in this release includes
strong cipher suites. However, due to U.S. export control
restrictions, this release does not allow alternate "pluggable"
SSL/TLS implementations to be used.
For more information, please see the
JSSE Reference Guide.
With the integration of JAAS into the J2SDK, the
java.security.Policy API handles Principal-based queries,
and the default policy implementation supports Principal-based
grant entries. Thus, access control can now be based
not just on what code is running, but also on who
is running it.
Support for dynamic policies has been added. In Java 2 SDK
releases prior to version 1.4, classes were statically bound with
permissions by querying security policy during class loading. The
lifetime of this binding was scoped by the lifetime of the class
loader. In version 1.4 this binding is now deferred until needed by
a security check. The lifetime of the binding is now scoped by the
lifetime of the security policy.
The graphical Policy Tool utility has been enhanced
to enable specifying a Principal field indicating what user is to be
granted specified access control permissions.