Oracle has announced the availability of Java SE 8 and JDK 8, the company’s implementation of Java SE 8. Changes have been made in the Java Programming Language, Collections, JavaFX, tools, and other components.
As far as security enhancements are concerned, the list is fairly long. First of all, the TLS 1.1 and TLS 1.2 protocols have been enabled by default on the client.
The SunJCE provider has been fitted with stronger algorithms for Password-Based Encryption. The list of AES-based algorithms includes PBEWithSHA256AndAES_128 and PBEWithSHA512AndAES_256.
SL/TLS Server Name Indication (SNI) extension support has been added to JSSE Server, the SunJSSE provider has been enhanced to support AEAD mode-based cipher suites, and the SunJSE provider now supports AES/GCM/NoPadding cipher implementation and GCM algorithm parameters.
“-importpassword” is a new command that’s been added to allow users to store a password security as a secret key with the aid of the keytool utility.
The list of security improvements also includes enhanced support for NSA Suite B cryptography, better support for high entropy random number generation, PKCS 11 provider support for Windows includes 64-bit, two new rcache types added to Kerberos 5, and weak Kerberos 5 encryption disabled by default.
Here is a brief description of other security enhancements:
-new variant of AccessController.doPrivileged that enables code to assert a subset of its privileges, without preventing the full traversal of the stack to check for other permissions;
-support for Kerberos 5 Protocol Transition and Constrained Delegation;
-unbound SASL for the GSS-API/Kerberos 5 mechanism;
-JNI bridge to native JGSS on Mac OS X;
-support for stronger strength ephemeral DH keys in the SunJSSE provider;
-support for server-side cipher suites preference customization in JSSE;
Previous versions of Java have been so vulnerable that it has been often named the most vulnerable software on the market. At the recent Pwn2Own competition, none of the contestants tried to hack Java. The reward for finding exploitable vulnerabilities in the software was only $30,000 (€22,000).
Adam Gowdiak, the CEO and founder of Security Explorations, and his team have identified numerous security holes in Java over the past years. While it remains to be seen how secure Java 8 really is, Gowdiak highlights the fact that “what usually matters is the code quality and implementation.”