In order to implement encryption using Java, I am using JCE, which is nice and fun. I was told that it is better to choose the crypto provider than to use a default one.
I need to choose providers both for symmetric key generation. used by this code (using AES in CBC mode):
Key sharedKey = (KeyGenerator.getInstance("AES/CBC/PKCS5PADDING", PROVIDER1).generateKey();
And for Asymmetric text encryption used by this code (using RSA in ECB mode):
Cipher rsaEncryptor = Cipher.getInstance("RSA/ECB/PKCS1Padding",PROVIDER2);
My question is how should I choose PROVIDER1 and PROVIDER2?
for example, I saw that "SunJCE" is a well documented provider, but I don't think it is a "good enough" reason to choose it.
anyone?
In general, you should stick to the default provider, unless there is a compelling reason not to. Hard coding your provider has the serious drawback that your code won't allow you to change your provider without rewriting your code. The only reason I would see for choosing a provider directly is to make sure that some security constraints are met, that would not be present for other providers.
The following paragraph is directly from the Oracle documentation:
You can still manage to allow other providers to be used by giving them a higher priority (a lower priority indicator, 1 is highest priority) within the
java.securityfile within thejre/lib/securitypath of your runtime. If you want to specify the provider usinggetInstance("Algorithm", "Provider")it might be a good idea to make the provider string configurable (e.g. using properties and usingmyConfig.getProperty("Provider")).