Java Cryptography Extensions

Java Cryptography Extensions (JCE) provide a framework and implementation for encryption, key generation, and authentication algorithms. Encryption support includes asymmetric, symmetric, block, and stream ciphers. These extensions also support secure streams and sealed objects. JCE is part of the Java 2 SDK version 1.4 and was an optional package in earlier JDKs. It is contained in the javax.crypto package.

The principle behind the Java Cryptography Extensions is to provide an API that allows pluggable algorithms and implementations, using provider architecture. The framework can use providers signed by a trusted entity. This also allows algorithms that have not yet been created to be inserted in the future.

The base JDK comes with the SunJCE provider and provides support for the following services:

Let's look at a simplistic example of using the Java Cryptography Extensions to generate a one-way hash using the MD5 algorithm:

// Use the MD5 Algorithm MessageDigest md = MessageDigest.getInstance("MD5");
// Take message and convert to bytes byte buf[] = Message.getBytes();
// Populate the buffer with the message md.update(buf);
// Create the digest byte digestBuf[] = md.digest();

In this scenario, if the message varies, so will the digest, as Table 15.5 shows. JCE also generates reversible encryption. Lets look at an example that uses the Blowfish algorithm:

import javax.crypto.*;
// Get a cryptography provider Provider sunJce = new com.sun.crypto.provider.SunJCE();
// Obtain an instance of the Blowfish cipher Cipher c = Cipher.getInstance("Blowfish");
// Obtain an instance of a key generator KeyGenerator kg = KeyGenerator.getInstance("Blowfish");
// Generate the key specification SecretKey sk = kg.generateKey();
byte[] raw = sk.getEncoded();
SecretKeySpec ks = new SecretKeySpec(raw, "Blowfish");
// Initialize the cipher using the key specification cipher.init(Cipher.ENCRYPT_MODE, ks);
// Update the buffers while (msg[ii] != null)
 enc = cipher.update(msg[ii].getBytes());
// Finish processing enc = cipher.doFinal();

Table 15.5: MD5 Example


MD5 Digest

I need a raise of $10,000.


I need a raise of $100,000.


I need a raise of $1,000,000.


You should notice that the first thing we did was obtain a reference to a cryptographic provider. This mechanism allows you to plug in at will other third-party providers approved by Sun. Additionally, the providers themselves cannot be used as standalones and will work only in the context of the JCE framework. Export restrictions on the use of certain encryption algorithms is controlled by jurisdiction policy files of JCE. These policy files are typically stored under the java-home directory in lib/security. A supplemental version of JCE is available that allows for "unlimited strength" algorithms for those living in eligible countries. The download URL is available at

Core Classes

The implementation of JCE as of JDK 1.4 is feature rich and provides many methods to make your app secure. Let us look at a small subset of some of the classes that are part of the package:


The default keystore in JDK 1.4 is the Sun provider. JCE provides its own implementation of and is referred to as "SunJCE." The SunJCE keystore uses a password-based encryption along with Triple DES for protection of private keys. To use the special implementation of the JCE keystore, you can specify "JCEKS" as the keystore type.

Java Start Sidebar

A keystore is a container or common repository that holds cryptographic keys and certificates.

Java End Sidebar