In Java, Cipher is the API for doing data encryption/decryption. Many cryptographic algorithms such as AES, DES, RC4 etc can be specified when creating Cipher instance. The Cipher instance calls the underlying algorithm specific implementation to do the actual encryption/decryption.
Before doing the encryption/decryption, a key needs to be created and it will be used to do the encryption/decryption. A sample program for performing all these is :
import java.security.Key;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
public class CipherSample {
public static void main(String[] args){
try{
byte[] plainBytes = "HELLO JCE".getBytes();
// Generate the key first
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(128); // Key size
Key key = keyGen.generateKey();
// Create Cipher instance and initialize it to encrytion mode
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); // Transformation of the algorithm
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] cipherBytes = cipher.doFinal(plainBytes);
// Reinitialize the Cipher to decryption mode
cipher.init(Cipher.DECRYPT_MODE,key, cipher.getParameters());
byte[] plainBytesDecrypted = cipher.doFinal(cipherBytes);
System.out.println("DECRUPTED DATA : "+new String(plainBytesDecrypted));
}catch(Exception ex){
ex.printStackTrace();
}
}
}
If you decided which algorithm to use, you need to generate a corresponding key with KeyGenerator or constructing a secret key with SecretKeySpec for the specified algorithm. To create an AES SecretKeySpec, you can do following:
byte[] keyBytes = "0123456789abcdef".getBytes(); SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
After generating the key you can call Cipher.getInstance() to create a Cipher instance by passing the transformation you want to use. Then you can initialize the cipher with the operation mode and key passed in and start to do the encryption/decryption.
A transformation composes of three parts delimited by "/", the format for it is Algorithm/Mode/Padding.
- Algorithm : The cryptographic algorithm such as AES, DES, DESede, RC4 etc
- Mode : The mode of the transformation such as CBC, ECB, CTR etc. This defines how the data bits are transformed
- Padding : The padding scheme such as NoPadding, PKCS5Padding etc.This is used in block ciphers to add appropriate padding to the input data if it is not multiple of block size.
In some cases, you may just want to specify Algorithm simply and skip Mode and Padding, in this case, the default mode("ECB") and default padding "NoPadding") will be used. For example, you can create a Cipher instance by calling:
Cipher cipher = Cipher.getInstance("AES");
Also, you can choose your own provider to do the encryption/decryption. These providers all implement some common cryptographic algorithms but with some differences in how these algorithms are implemented. Some providers may have implemented more algorithms or modes than other providers. This is why you may choose different provider based on your needs. Some well known providers are Oracle's SunJCE, IBM's IBMJCE and BouncyCastle's BC. To know more about the security provider model in Java, please read Java Security Overview.
To specify the provider, you can create a Cipher instance like below:
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding", "SunJCE");
But before you can use the provider, one thing you have to do is to register the provider if you want to use. To register the provider, you can either add the provider staticly in java.security file or dynamically by calling Security.addProvider() or Security,insertProvvider().
Let's take BouncyCastle as an example, if you want to add BouncyCastle with java.security. You need to add below line in java.security:
security.provider.N=org.bouncycastle.jce.provider.BouncyCastleProvider
Here N means the index of the provider, the smaller index has the higher priority.
If you want to add the provider dynamically, add below code in your program :
Security.addProvider(new BouncyCastleProvider()); // OR BELOW Security.insertProviderAt(new BouncyCastleProvider(), 1);
When initializing the Cipher instance, you can specify what mode the Cipher should be operating in. There are four modes supported :
Cipher.ENCRYPT_MODE, Cipher.DECRYPT_MODE, Cipher.WRAP_MODE and Cipher.UNWRAP_MODE, these modes defines what the Cipher instance is used for. From the names, you should easily understand what their meaning are. Cipher.WRAP_MODE is similar to Cipher.ENCRYPT_MODE and Cipher.UNWRAP_MODE is similar to Cipher.DECRYPT_MODE.
For some algorithm which may depend on some random bytes or IVs to ensure the security of the encryption/decryption, you can put them into the AlgorithmParameters so these data will be used that when encryption/decryption is performed.
Above is just a rough introduce to how Cipher works in Java.
Thank You