views:

458

answers:

8

Hi,

I want to implement a tool in Java to learn more about cryptography. I know that there is a security package with some crypto stuff inside. Now I saw there is a dedicated javax.crypto package inside the SDK.

Where is the difference? Are they both up to date?

I wanted to start my tool with some historical ciphers. But it should not be limited to them. So I need a nice abstraction through interfaces or something like that.

Whats the better choice of the two APIs? Is there another API I should have a look at?

Thanks in advance.

+2  A: 

It's a mix of the two packages.

Here are the relevant docs

skaffman
Thanks. But before further reading: Can you tell me if I can use this API to implement cryptogrphic algorithms which are not part of the JCA, yet. E.g. historical ciphers? Thx
c0d3x
JCA is just an API, it doesn't define ciphers. The SPI (service provider interface) defines them, and you can extend the API to define your own.
skaffman
+2  A: 

You could take a look at The Legion of the Bouncy Castle

A_M
When we tried to do something that was compatible with openssl, only bouncycastle worked. The sun java security stuff was just too buggy to work in a compatible manner. It should be compatible with itself, however. Also: bouncycastle doesn't require you to run inside that security sandbox stuff (which is mostly for applets - remember them?), so debugging the program actually becomes possible.
eirikma
A: 

Check out keyczar.

matt b
A: 

The updated docs.

luvieere
A: 

http://www.jasypt.org is also a good option.

marcospereira
+2  A: 

To answer the question asked:

javax.crypto deals with low level crypto: encryption, decryption, and hashing. It's where the Cipher class is defined.

java.security deals with everything else: key management, certtificate management, and signatures.

Those interfaces abstract JCE providers, which implement specific algorithms. Sun provides some, and BouncyCastle is another good one.

If you are planning some custom ciphers for which there is not already an implementation, you'll be implementing your own JCE provider, and specifically extending javax.crypto.CipherSpi.

It's not difficult, but you have to read through the documentation on how to do that. In order for the JCE to allow your provider, you will have to apply to Sun for a certificate, basically faxing them a signed statement that you are aware of the US export restrictions on crypto libraries.

ykaganovich
A: 

I have add another vote for Bouncy Castle. I recently needed an encryption algorithm that worked across multiple platforms (Java & C#). We tried to use the standard Java and C# encryption packages but we found too many issues with the encrypt/decrypt.

Looking around, Bouncy Castle had a .NET implementation in addition to a Java. Although, .NET implementation of Bouncy Castle is not well documented, it is essentially the same as Java.

Naqeeb
A: 

Java Cryptography Extensions (The Practical Guide Series) by Jason Weiss.

I spent a lot on books, I have a lot of books, all of them very good. ( if you have a masters in math )

This book gets to the point, I had a cipher working in 5-6 hours. I had been working 5-6 years to get one running. Much practical advice from decades of doing actual infosec.

Nicholas Jordan