Java Cryptography

Cryptography is the science of encoding, transmitting and verifying data securely. The topic of cryptography that even the general public has a passing knowledge of is encryption: the science of encoding and storing data so that it cannot be read by an unauthorised party. But as we will see below, it covers other areas, notably authentication.

The Java platform includes a range of classes for handling cryptography which we explore in this section:

Areas of cryptography

Crptography and the various facilities provided in Java cover areas of data security including:

  • encryption of data so that an unauthorised third party cannot read it without the appropriate key;
  • authentication and validation (or certification): broadly speaking, checking that a piece of data is "what it should be" or "hasn't been tampered with"— e.g. whether the data was transmitted error-free, whether it was deliberately altered by third parties, and indeed whether the parties are who we believe they are;
  • computer protocols for using the previous two techniques correctly and in a way that allows all parties to know how they're being used (e.g. the TLS protocol allows a client to connect to a server over the Internet without the two machines previously knowing things such as session key or even preferred encryption method, maximum key length etc).

Indirectly, cryptography is also concerned with:

  • appropriate choice of methods/protocols for the task at hand: for example, we might need to make trade-offs between the level of security of our encryption versus the CPU resources we are willing to dedicate to it on our server, and/or choose between different encryption algorithms; if a particular client only supports an outdated protocol with a recently discovered security flaw, we may need to weigh up the risk/benefit of allowing that client to connect;
  • human protocols for using these techniques (e.g. "don't make your password less than X characters", "don't just use letters in your password" etc).

Issues such as these last two are often what make cryptography challenging to the developer. Java's cryptography library provides relatively simple-looking classes and methods. It is easy to use these methods in a way that actually turns out to be insecure because of the "soft protocols" surrounding the use of cyptography. In practice, this means:

  • we need to understand which tool/algorithm we need when;
  • where there's a choice, we need to assess the strengths and weaknesses of each;
  • some algorithms have various parameters that we need to understand;
  • using some algorithms correctly can be tricky and requires a little understanding of what is going on (e.g. using "128-bit encryption" with a key generated by java.util.Random doesn't give anything like 128 bits of security...);
  • even issues such as "what data should we encrypt when" can be a problem;
  • we need to take account of the security risks and needs, vs other needs, of different parts of our application and system as a whole.

Cryptography in Java

On the following pages, we therefore discuss various topics:

If you enjoy this Java programming article, please share with friends and colleagues. Follow the author on Twitter for the latest news and rants. Follow @BitterCoffey

Editorial page content written by Neil Coffey. Copyright © Javamex UK 2021. All rights reserved.

AltStyle によって変換されたページ (->オリジナル) /