Previous | Next | Trail Map | Security in JDK 1.1 | Contents

Java Security API Overview

This lesson discusses cryptography terms and gives an overview of the Java Security API introduced in JDK 1.1. It has the following sections:


Public Key

A number associated with a particular entity (for example, an individual or an organization). A public key is intended to be known to everyone who needs to have trusted interactions with that entity.

Private Key

A number that is supposed to be known only to a particular entity. That is, private keys are always meant to be kept secret. A private key is always associated with a single public key.

Digital Signature

A string of bits that is computed from some data (the data being "signed") and the private key of an entity. The signature can be used to verify that the data came from the entity.

Like a handwritten signature, a digital signature has many useful characteristics:

  • Its authenticity can be verified, via a computation that uses the public key corresponding to the private key used to generate the signature.

  • It cannot be forged, assuming the private key is kept secret.

  • It is a function of the data signed and thus can't be claimed to be the signature for other data as well.

  • The signed data cannot be changed; if it is, the signature will no longer verify as being authentic.

Cryptography Algorithm

An algorithm used to help ensure one or more of the following:

  1. the confidentiality of data

  2. authentication of the data sender

  3. integrity of the data sent

  4. nonrepudiation; a sender cannot deny having sent a particular message

    A digital signature algorithm provides some of these characteristics. Also see message digest algorithms. Digital signature and message digest algorithms are available in JDK 1.1.

    A separate release (Java Cryptography Extensions) will provide APIs and algorithms related to encryption and decryption.


    The process of taking data (called cleartext) and a short string (a key) and producing ciphertext, which is data meaningless to a third-party who does not know the key.


    The inverse of encryption; the process of taking ciphertext and a short key string, and producing cleartext.


    A digitally signed statement from one entity, saying that the public key of some other entity has some particular value. If you trust the entity that signed a certificate, you trust that the association in the certificate between the specified public key and another particular entity is authentic.

    Message Digest Algorithm (or One-Way Hash Function)

    A function that takes arbitrary-sized input data (referred to as a message) and generates a fixed-size output, called a digest (or hash). A digest has the following properties:

    • It should be computationally infeasible to find another input string that will generate the same digest.

    • The digest does not reveal anything about the input that was used to generate it.

    Message digest algorithms are used to produce unique and reliable identifiers of data. The digests are sometimes called the "digital fingerprints" of data.

    Some digital signature algorithms use message digest algorithms for parts of their computations.

    Some digital signature systems compute the digest of a message and digitally sign the digest rather than signing the message itself. This can save a lot of time, since digitally signing a long message can be time-consuming.

    Engine Class

    The term engine class is used in the Java Security API to refer to a class that provides the functionality of a type of cryptography algorithm. The Security API defines a Java class for each engine class. For example, there is a MessageDigest class, a Signature class, and a KeyPairGenerator class. Users of the API request and utilize instances of these engine classes to carry out corresponding operations. A Signature instance is used to sign and verify digital signatures, a MessageDigest instance is used to calculate the message digest of specified data, and a KeyPairGenerator is used to generate pairs of public and private keys suitable for a specified algorithm.

    An engine class provides the interface to the functionality of a specific type of algorithm, while its actual implementations (from one or more providers) are those for specific algorithms. The Signature engine class, for example, provides access to the functionality of a digital signature algorithm. The actual implementation supplied in a Signature subclass could be that for any kind of signature algorithm, such as SHA-1 with DSA, SHA-1 with RSA, or MD5 with RSA.


    Implementations for various algorithms in Java Security are provided by Cryptography Package Providers. Providers are essentially packages that implement one or more engine classes for specific algorithms. For example, the Java Development Kit's default provider, named "SUN", supplies implementations of the DSA signature algorithm and of the MD5 and SHA-1 message digest algorithms. Other providers may define their own implementations of these algorithms or of other algorithms, such as one of the RSA-based signature algorithms or the MD2 message digest algorithm.

What Does the Java Security API Provide?

The Java Security API is a new Java core API, built around the package (and its subpackages).

The first release of the Java Security API, available in JDK 1.1, contains APIs for:

Digital Signatures
Digital signature algorithms, such as DSA (Digital Signature Algorithm). The functionality includes generating public/private key pairs as well as signing and verifying arbitrary digital data.

Message Digests
Cryptographically secure message digests, such as MD5 and SHA-1. These algorithms, also called one-way hash algorithms, are useful for producing "digital fingerprints" of data, which are frequently used in digital signatures and other applications that need unique and unforgeable identifiers for digital data.

Key Management
A set of abstractions for managing principals (entities such as individual users or groups), their keys, and their certificates. It allows applications to design their own key management systems, and to interoperate with other systems at a high level. Note that support for specific certificate formats is not available but will be part of a future JDK release.

The cryptography framework in the Java Security API is designed so that a new algorithm can be added later on without much difficulty and can be utilized in the same fashion as existing algorithms. For example, although DSA is the only built-in digital signature algorithm in this release, the framework can easily accommodate another algorithm such as RSA. Vendors can develop their own algorithms and integrate their resulting provider) packages into the Java Security API so that clients can utilize them.

What about Encryption and Decryption?

APIs for data encryption and decryption, together with some default algorithm implementations, will be released separately in a "Java Cryptography Extension" (JCE) as an add-on package to JDK, in accordance with U.S. export control regulations.

Core Classes

The Signature Class

The Signature class is an engine class designed to provide the functionality of a digital signature algorithm such as DSA or RSA with MD5. A signature algorithm takes arbitrary-sized input and a private key and generates a relatively short (often fixed-size) string of bytes, called the signature, with the following properties:
  • Given the public key corresponding to the private key used to generate the signature, it should be possible to verify the authenticity and integrity of the input.

  • The signature and the public key do not reveal anything about the private key.

A Signature object can be used to generate a digital signature for data. It can also be used to verify whether or not an alleged signature is in fact the authentic signature of the data associated with it.

The MessageDigest Class

The MessageDigest class is an engine class designed to provide the functionality of cryptographically secure Message Digestmessage digests such as SHA-1 or MD5. A cryptographically secure message digest takes arbitrary-sized input (a byte array), and generates a fixed-size output, called a digest. A digest has the following properties:

  • It should be computationally infeasible to find another input string that will generate the same digest.

  • The digest does not reveal anything about the input that was used to generate it.

Message digests are used to produce unique and reliable identifiers of data. They are sometimes called the "digital fingerprints" of data.

Key Interfaces

The Key interface is the top-level interface for all keys. It defines the functionality shared by all key objects. All keys have three characteristics:

  • An Algorithm

  • An Encoded Form

    This is an external encoded form for the key used when a standard representation of the key is needed outside the Java Virtual Machine, as when transmitting the key to some other party. The key is encoded according to a standard format (such as X.509 or PKCS#8).

  • A Format

    This is the name of the format of the encoded key.

Keys are generally obtained through key generators, certificates, or various Identity classes used to manage keys.

The PublicKey and PrivateKey Interfaces

The PublicKey and PrivateKey interfaces are method-less interfaces, used for type-safety and type-identification for public keys and private keys

The KeyPair Class

The KeyPair class is a simple holder for a key pair (a public key and a private key). It has two public methods, one for returning the private key, and the other for returning the public key.

The KeyPairGenerator Class

The KeyPairGenerator class is an engine class used to generate pairs of public and private keys.

Previous | Next | Trail Map | Security in JDK 1.1 | Contents