Wasafa1 Wasafa1 - 5 months ago 74
Java Question

Java Crypto Api - how to choose a cipher provider

In order to implement encryption using Java, I am using JCE, which is nice and fun.
I was told that it is better to choose the crypto provider than to use a default one.

I need to choose providers both for symmetric key generation. used by this code (using AES in CBC mode):

Key sharedKey = (KeyGenerator.getInstance("AES/CBC/PKCS5PADDING", PROVIDER1).generateKey();


And for Asymmetric text encryption used by this code (using RSA in ECB mode):

Cipher rsaEncryptor = Cipher.getInstance("RSA/ECB/PKCS1Padding",PROVIDER2);


My question is how should I choose PROVIDER1 and PROVIDER2?

for example, I saw that "SunJCE" is a well documented provider, but I don't think it is a "good enough" reason to choose it.

anyone?

Answer

In general, you should stick to the default provider, unless there is a compelling reason not to. Hard coding your provider has the serious drawback that your code won't allow you to change your provider without rewriting your code. The only reason I would see for choosing a provider directly is to make sure that some security constraints are met, that would not be present for other providers.

The following paragraph is directly from the Oracle documentation:

Reminder: Cryptographic implementations in the JDK are distributed through several different providers ("Sun", "SunJSSE", "SunJCE", "SunRsaSign") for both historical reasons and by the types of services provided. General purpose applications SHOULD NOT request cryptographic services from specific providers. That is:

getInstance("...", "SunJCE");  // not recommended
    vs.
getInstance("...");            // recommended

You can still manage to allow other providers to be used by giving them a higher priority (a lower priority indicator, 1 is highest priority) within the java.security file within the jre/lib/security path of your runtime. If you want to specify the provider using getInstance("Algorithm", "Provider") it might be a good idea to make the provider string configurable (e.g. using properties and using myConfig.getProperty("Provider")).