OpenJDK proposals would bolster Java integrity, encryption

One proposal would restrict Java APIs to maintain the strong encapsulation that assures the integrity of code and data, while a second would introduce a Key Encapsulation Mechanism API.

coffee mug - coffee beans - Java
Aline Ponce (CC0)

Code and data integrity and encryption support in Java would get boosts from two different proposals floating in the open source Java community. One proposal would tighten strong encapsulation of Java APIs, and the second would deliver an API for Key Encapsulation Mechanism, an encryption technique that promises to provide protection against quantum computers.

A draft Java Enhancement Proposal (JEP) for integrity and strong encapsulation, posted in, is intended to restrict APIs to prevent them from breaking strong encapsulation, while still accommodating use cases that need to operate beyond encapsulation boundaries. Strong encapsulation is one of the Java platform features that assures code and data integrity by default, the JEP notes. However, this can be circumvented by some APIs, causing headaches for maintenance and performance.

The proposal, which would be incorporated into the standard edition of Java, cites the following goals:

  • Allowing Java to maintain invariants (conditions that always hold) of its own operation as well as that of Java applications that are required for maintainability, security, and performance.
  • Clarifying the Java and non-Java APIs that can break strong encapsulation.
  • Differentiating use cases where breaking encapsulation is convenient from use cases where disabling encapsulation is essential.

It is not a goal of the proposal to guard against situations where users compromise the integrity of the Java platform by manipulating the underlying file system, operating system, or hardware, the proposal states. Appropriate integrity mechanisms in the operating system should always be used to protect the Java platform and Java applications.

The other draft JEP would introduce a Key Encapsulation Mechanism (KEM) API. KEM is a modern cryptographic technique designed to encrypt symmetric keys using asymmetric or public key cryptography. It differs from the more traditional technique that encrypts a randomly generated symmetric key with a public key. According to the JEP, the KEM mechanism is simpler and also addresses several disadvantages of the traditional approach. 

Also positioned for standard Java, the KEM API proposal is intended to enable applications to make use of KEM and KEM algorithms such as RSA Key Encapsulation Mechanism (RSA-KEM), Elliptic Curve Integration Encryption Scheme (ECIES), and candidate KEM algorithms for the National Institute of Standards and Technology (NIST) Post-Quantum Cryptography (PQC) standardization process. The plan is to enable the use of KEM in higher-level protocols such as Transport Layer Security (TLS). Implementers would be permitted to develop security providers that implement KEM algorithms developed in Java or native code.

The current version of standard Java is Java Development Kit (JDK) 20, which arrived last month. Its successor, JDK 21, is due in September, with the feature set due to be frozen on June 8.

Copyright © 2023 IDG Communications, Inc.