http://java.sun.com/javase/6/docs/technotes/guides/security/enhancements.html
The Java Platform has added support for the following Security functionality
in version 6:
a.. JSR 105, the XML Digital Signature API and implementation
For details, see the XML Digital Signature API Specification and the XML
Digital Signature API Overview and Tutorial
b.. JSR 268, Smart Card I/O API
Sun's Java SE 6 implementation bundles the Smart Card I/O API defined by
JSR 268 as well as a provider called SunPCSC which uses the platform's
native PC/SC Smart Card stack, if available. Note that neither the API nor
the SunPCSC provider are part of the Java SE 6 platform specification and
may not be present on other compliant Java SE implementations.
c.. Elliptic Curve Cryptography (ECC) in SunPKCS11
The SunPKCS11 provider now exposes ECC algorithms if the underlying
PKCS#11 token supports them. This include ECDSA signing and verification,
ECDH key agreement, and generation of EC keypairs. For more information
about the supported mechanisms, see the supported algorithms section in the
PKCS#11 reference guide.
d.. Elliptic Curve CipherSuites in SunJSSE
The SunJSSE now supports the ECC ciphersuites defined in RFC 4492, if a
suitable crypto provider is available (for example, SunPKCS11 with an
appropriate PKCS#11 library). For more information, see the list of
supported ciphersuites and their requirements.
e.. Access Network Security Services (NSS) using SunPKCS11
The SunPKCS11 provider supports new configuration directives which allow
it to access the NSS security library. This enables Java applications to
read keys stored in the NSS database files, use ECC algorithms, and to use
the NSS Softtoken as a FIPS 140 compliant cryptography provider. For more
information see the NSS section in the PKCS#11 guide.
f.. FIPS 140 compliance for SunJSSE
The SunJSSE provider now supports an experimental FIPS 140 compliant mode.
When enabled and used in combination with the SunPKCS11 provider and an
appropriate FIPS 140 certified PKCS#11 token, SunJSSE is FIPS 140 compliant.
For details, see the JSSE Reference Guide.
g.. Pluggability restrictions have been removed from JSSE
In earlier releases, the JSSE framework did not allow 3rd party JSSE
providers that implemented non-standard ciphersuites due to export control
issues.
h.. Socket read timeouts are fully supported by SunJSSE SSLSockets
In previous releases, calling setSoTimeout() would sometimes lead to
unpredictable results. This has been corrected.
i.. Cipher Text Stealing (CTS) mode added to SunJCE block ciphers
CTS is described in Bruce Schneier's book "Applied Cryptography-Second
Edition", John Wiley & Sons, 1996 (pg. 195-196), and is used by some
Kerberos implementations.
j.. New PBKDF2WithHmacSHA1 Secretkeyfactory algorithm added to SunJCE
Constructs secret keys using the Password-Based Key Derivation Function
function found in PKCS5 v2.0.
k.. Removed the 2048 RSA keysize limit from local_policy.jar
Implementations were previously restricted from obtaining RSA keys larger
than 2048 bits without installing the unlimited crypto policy files.
l.. New Certification Authority (CA) certificates added
A number of new CA certificates were added to the default system
lib/security/cacerts file. See the keytool docs for the complete list of CA
certificates.
m.. Added Two New Options to jarsigner Tool
Options -digestalg and -sigalg have been added to the jarsigner tool to
allow users to override the default signature and digest algorithms when
signing a jar file
n.. New Options for keytool Tool
Options -genseckey and -importkeystore have been added to the keytool tool
to allow users to generate a SecretKey inside a keystore and copy entries
from one keystore to another. Options -genkey, -import and -export have been
renamed to -genkeypair, -importcert and -exportcert.
o.. User-Entered Passwords no longer echoed on the screen
Security tools like keytool/jarsigner, and the JAAS login authentication
modules use the new java.io.Console class so that user-entered passwords are
no longer echoed on the screen.
p.. Support for AES Encryption Type in Java GSS/Kerberos
Support for AES encryption type (AES128 and AES256) in Java GSS/Kerberos
is available. This improves interoperability of the Java SE Kerberos
implementation with other Kerberos implementations, such as Solaris 10 and
MIT Kerberos. For details, see Java GSS Security Features.
q.. Support for RC4-HMAC Encryption Type in Java GSS/Kerberos
Support for RC4-HMAC encryption type in Java GSS/Kerberos is available.
This improves interoperability of the Java SE Kerberos implementation with
other Kerberos implementations, such as Windows, Solaris 10 and MIT
Kerberos. Windows Active Directory supports RC4-HMAC as the default Kerberos
encryption type. For details, see Java GSS Security Features.
r.. Support for SPNEGO in Java GSS
Support for SPNEGO mechanism in Java GSS is now available. The Simple and
Protected GSS-API Negotiation (SPNEGO) mechanism is a pseudo security
mechanism that enables GSS-API peers to securely negotiate a common security
mechanism to be used.
Support for SPNEGO authentication scheme in HTTP is also available. For
details, see Java GSS Security Features.
s.. Support for new Pre-Authentication Mechanisms
Java GSS/Kerberos now includes support for the new pre-authentication
mechanisms as described in the latest Kerberos specification. For details,
see Java GSS Security Features.
t.. Native Platform GSS Integration
This feature allows Java GSS applications to take advantage of features in
the native GSS implementation available on the platform. For details, see
Java GSS Security Features.
u.. Access to native PKI and cryptographic services on Microsoft Windows
Added the SunMSCAPI JCE provider which uses the Microsoft CryptoAPI (CAPI)
to offer a variety of RSA cryptographic functions. It acts as a bridge
between Java applications and the services offered by the default RSA
cryptographic service provider available via CAPI. It provides access to
X.509 certificates and RSA key pairs, it performs RSA encryption and
decryption, and it creates and validates RSA signatures. It also supports a
cryptographic random number generator.
v.. Enhancements to the implementation of PKI Certificate Path Validation
Added support for segmented and indirect CRLs, resulting in improved
performance and improved PKIX compliance (RFC 3280).
w.. JAAS-based authentication using LDAP
Added a JAAS login module which enables users to perform authentication
using credentials stored in an LDAP directory service. It provides a drop-in
solution for existing JAAS-enabled applications that wish to support
authentication using LDAP. See LDAPLoginModule for more information.
x.. Default SSLContext
Added the static method getDefault() and setDefault() to SSLContext.
getDefault() returns the default SSLContext, which is initialized in an
implementation specific fashion, for example using system properties.
setDefault() allows an application to programmatically set the default
context to any initialized SSLContext object.
y.. SSLParameters
The new SSLParameters class encapsulates the configuration parameters of
an SSL endpoint, in particular the ciphersuites, protocol versions, and for
servers the client authentication requirements. They can be applied with a
single call to SSLSocket.setSSLParameters() or SSLEngine.setSSLParameters().
