Architecture

Cryptographic Service Providers

The Java™ Cryptography Architecture introduced the notion of a Cryptographic Service Provider. This term refers to a package (or a set of packages) that supplies a concrete implementation of a subset of the cryptography aspects of the Security API.

For example, the SDK provides the following types service: key factories, keystore creation and management, algorithm parameter management, algorithm parameter generation, and certificate factories. The SDK also enables a provider to supply a random number generation (RNG) algorithm.

As previously noted, a program can request a particular type of object (such as a Signature object) for a particular service (such as the DSA signature algorithm) and get an implementation from one of the installed providers. Alternatively, the program can request the objects from a specific provider. (Each provider has a name used to refer to it.)

The SDK contains a number of new providers, including IBMJCE. The IBMJCE provider package includes:
  • An implementation of the Digital Signature Algorithm (DSA), described in NIST FIPS 186-2.

  • An implementation of the MD2, MD5 (RFC 1321), SHA-1 (FIPS 180-2), SHA-256, SHA-384, SHA-512 message digest algorithms.

  • A DSA key pair generator for generating a pair of public and private keys suitable for the DSA algorithm.
  • A DSA algorithm parameter generator.
  • A DSA algorithm parameter manager.
  • A DSA key factory providing bidirectional conversions between (opaque) DSA private and public key objects and their underlying key material.
  • An implementation of the proprietary IBMSecureRandom random number generation algorithm.
  • A keystore implementation for the proprietary keystore type named JKS.

Each SDK installation has one or more provider packages installed. New providers can be added statically or dynamically (see the Provider and Security classes). The Java Cryptography Architecture offers a set of APIs that allow users to query which providers are installed and what services they support.

Clients can configure their runtime environment with different providers, and specify a preference order for each of them. The preference order is the order in which providers are searched for requested services when no specific provider is requested.

Key Management

A database called a keystore can be used to manage a repository of keys and certificates. A keystore is available to applications that need it for authentication or signing purposes.

Applications can access a keystore via an implementation of the KeyStore class, which is in the java.security package. A default KeyStore implementation, called JKS, is provided. It implements the keystore as a file, using a proprietary keystore type (format).

Applications can choose different types of keystore implementations from different providers, using the getInstance factory method supplied in the KeyStore class.

See the Key Management section for more information.