Summary

Java cryptographic services are defined independent of the underlying algorithms and implementations. This supports extensibility through the addition of newer algorithms in separate provider implementation without changing or adding the programmer visible classes. This extensibility is achieved through an architecture where the service engine classes expose the functionality, but hide the coupling with the implementation class. It also allows security capabilities to be extended by installing and configuring third-party providers. The same architecture is used by all security APIs, bringing a good deal of uniformity and ease of use.

Keys—secret key for symmetric encryption, and public-private key pairs for asymmetric encryption—are central to a number of cryptographic operations. Proper generation and handling of keys is essential for realizing the security offered by cryptography. Java Security API contains classes to handle keys as Java objects and has services to generate, store and load these keys. An important point to remember is that not all secret keys or public-private key pairs have the same structure or are generated by the same process—key pair used by RSA cannot be used by DSA and vice versa.

JCA and JCE contain the engine classes for basic cryptographic operations. Examples include Signature class for creating and verifying digital signature, Cipher class for symmetric and asymmetric encryption and decryption, MessageDigest class for computing and verifying message digest, Mac class for computing and verifying MAC and KeyAgreement class for key agreement operations. Encryption provides message confidentiality and digest helps in detecting changes to the message. MAC should be used in place of digest to prevent willful tampering when the complete message including the digest or MAC is exposed. Digital signature combines public key encryption with digest to provide non-repudiation.

You can perform these cryptographic operations using the command line utility crypttool. This allows experimentation with various combinations of services, algorithms and providers without any programming. You can also examine the source code of crypttool for sample code using the Java Security API.

Speed of cryptographic operations depends on the quality of implementation, algorithm used and the keysize. For J2SE v1.4 bundled providers, we found 56-bit DES encryption to be 2.5 times faster than 112-bit TripleDES encryption. For digital signature, we found RSA to be approximately 1.5 times faster than DSA for both signature creation and verification.

Cryptography requires standards and protocols to be useful in real life. Most of the applications require agreement about using cryptographic capabilities in a certain way. This is achieved through standards and protocols.