Making the JDK More Secure Sean Mullan OpenJDK Security Group Lead Oracle October 2, 2017 @seanjmullan Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 1 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 2 Program Agenda 1 Introduction and Goals 2 Secure by Default Improvements 3 JDK 9 Security Features 4 Conclusion Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 3 Program Agenda 1 Introduction and Goals 2 Secure by Default Improvements 3 JDK 9 Security Features 4 Conclusion Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 4 Making the JDK More Secure Two Primary Goals • Provide a secure by default environment • Deliver new features that keep pace with the rapidly evolving security landscape Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 5 Java Security Components Tools keytool jarsigner policytool kinit, klist, ktab JAAS GSSAPI/Kerberos XML Signature APIs and SASL JSSE (SSL/TLS/DTLS) JAR Verification Libraries JCE (crypto) PKI (CertPath) Java Language and Runtime Security Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 6 Program Agenda 1 Introduction and Goals 2 Secure by Default Improvements 3 JDK 9 Security Features 4 Conclusion Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 7 Making the JDK Secure by Default Specific Goals • Restrict weak algorithms and protocols – Ex: JAR files signed with MD5 algorithms are now treated as unsigned JARs • Ensure defaults remain strong – Ex: Default settings for keytool/jarsigner changed from SHA-1 to SHA-2 • Add support for stronger algorithms and protocols – Ex: Backported support for TLS 1.2 to JDK 6 Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 8 Cryptographic Roadmap http://java.com/cryptoroadmap • Initially published on August 18, 2016 • A "heads-up" on forthcoming changes • Provides guidance for determining if change may impact your applications • Shows all changes that have been released in the past 1-2 years • Important: may not apply to third party security providers Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 9 Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 10 Disable SHA-1 Certificates • SHA-1 TLS Server certificates that chain to Public Root CAs are now restricted by default – Restriction is in JDK 9, 8u141, 7u151, 6u161 – Applies to all certificates in chain and revocation information – Public Root CAs are those that are pre-installed in the cacerts keystore • Adheres to CA/Browser Forum Baseline Requirements: – "Effective 1 January 2016, CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using the SHA-1 hash algorithm." – https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.9.pdf • See JEP 288 for more information: http://openjdk.java.net/jeps/288 Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 11 Have you ever written code like this? public class AES256 { public static void main(String[] args) throws Exception { KeyGenerator kg = KeyGenerator.getInstance("AES"); kg.init(256); SecretKey key = kg.generateKey(); Cipher c = Cipher.getInstance("AES/GCM/NoPadding"); c.init(Cipher.ENCRYPT_MODE, key); byte[] bytes = c.doFinal("Hello World!".getBytes()); } } $ java AES256 Exception in thread "main" java.security.InvalidKeyException: Illegal key size or default parameters … � <Interlude … download JCE Unlimited Strength Jurisdiction Policy Files, install, try again> $ java AES256 � Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 12 Enable Unlimited Cryptographic Policy By Default • You will no longer have to download the unlimited policy bundle! • JDK 9 includes both the limited and unlimited policy files – Use crypto.policy Security Property to configure • Default value is "unlimited" • No limits on strength of cryptography – Most significantly, allows AES-192 and AES-256 to be used out-of-box • Change will be backported in two phases – 8u151, 7u161, 6u171 (10/2017): Both policy files installed, but limited is default – 8u161, 7u171, 6u181 (01/2018): default changed to unlimited • NOTE: You are advised to consult your export/import control counsel or attorney to determine the exact requirements Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 13 Configuring the Restrictions • Restrictions are configured via Security Properties in the java.security file – jdk.certpath.disabledAlgorithms • Restrictions on certificates, CRLs, and OCSP Responses – jdk.tls.disabledAlgorithms • Restrictions on algorithms used in the TLS handshake protocol – jdk.tls.legacyAlgorithms • Algorithms are negotiated in TLS handshake protocol only if no stronger candidates are available – jdk.jar.disabledAlgorithms • Signed JAR is treated as unsigned if it is digested/signed with any of the restricted algorithms – jdk.xml.dsig.secureValidationPolicy • Restrictions on XML digital signatures Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 14 Default Restrictions jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224 jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ EC keySize < 224 jdk.tls.legacyAlgorithms=K_NULL, C_NULL, M_NULL, \ DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \ DH_RSA_EXPORT, RSA_EXPORT, DH_anon, ECDH_anon, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, 3DES_EDE_CBC jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 jdk.xml.dsig.secureValidationPolicy=\ disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\ disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5, … Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 15 Restrictions Example PKI (CertPath) Use –Djava.security.debug=certpath to debug further CertPath Issuer = CA2 Subject = Alice SigAlg = MD5withRSA validate() CertPathValidator CertPathValidatorException ("Algorithm constraints check PKIX failed on signature algorithm: Issuer = CA1 MD5withRSA") Subject = CA2 SigAlg = SHA256withRSA jdk.certpath.disabledAlgorithms="MD2, MD5, …" java.security Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 16 Use keytool to diagnose weak certificates $ keytool -printcert -file weak.crt Owner: CN=Alice, OU=Class-1, O=Example, C=US Issuer: OU=Class-1, O=Example, C=US Serial number: 2 Valid from: Sun Jun 28 09:32:30 EDT 2009 until: Thu Mar 15 09:32:30 EDT 2029 Certificate fingerprints: SHA1: 49:0D: ... SHA256: B0:51: ... Signature algorithm name: MD5withRSA (weak) Subject Public Key Algorithm: 1024-bit RSA key Version: 3 … Warning: The certificate uses the MD5withRSA signature algorithm which is considered a security risk. Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 17 Use jarsigner to diagnose weak JARs $ jarsigner -verify -verbose test.jar 134 Thu Dec 10 16:20:40 EST 2015 META-INF/MANIFEST.MF 245 Thu Dec 10 16:20:40 EST 2015 META-INF/MD5RSA10.SF 1005 Thu Dec 10 16:20:40 EST 2015 META-INF/MD5RSA10.RSA 0 Mon Dec 07 18:00:20 EST 2015 META-INF/ m 2137 Mon Dec 07 17:40:02 EST 2015 JarVerifyLimits.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore - Signed by "CN=MD5-RSA-1024 Cert, OU=Java, O=Java, L=SCA, ST=CA, C=US" Digest algorithm: MD5 (weak) Signature algorithm: MD5withRSA (weak), 1024-bit key WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 18 Program Agenda 1 Introduction and Goals 2 Secure by Default Improvements 3 JDK 9 Security Features 4 Conclusion Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 19 JDK 9 Security Features Highlights • 9 new security JEPs • Significant cryptographic performance improvements • Support for important TLS extensions: ALPN, OCSP Stapling • Support for new crypto algorithms: SHA-3, DRBG • Support for new protocols: DTLS • New restrictions on SHA-1 certificates • More secure defaults: JKS -> PKCS12 Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 20 "9 for 9": 9 New Security JEPs in JDK 9 • JCE (Crypto) • JSSE (TLS/SSL/DTLS) – 287: SHA-3 Hash Algorithms – 249: OCSP Stapling for TLS – 229: Create PKCS12 KeyStores by Default – 244: TLS Application-Layer Protocol – 246: Leverage CPU Instructions for GHASH Negotiation Extension and RSA – 219: Datagram Transport Layer Security – 273: DRBG-Based SecureRandom (DTLS) Implementations • Runtime Security • PKI (CertPath) – 232: Improve Secure Application – 288: Disable SHA-1 Certificates Performance Copyright © 2017, Oracle and/or its affiliates. All rights reserved. 21 SHA-3 Hash Algorithms Overview and Motivation • SHA-3 is a new family of cryptographic