Design Principles

The Java™ Cryptography Architecture (JCA) was designed around these principles:
  • Implementation independence and interoperability
  • Algorithm independence and extensibility

Implementation independence and algorithm independence are complementary; you can use cryptographic services, such as digital signatures and message digests, without worrying about the implementation details or even the algorithms that form the basis for these concepts. When complete algorithm-independence is not possible, the JCA provides standardized, algorithm-specific APIs. When implementation-independence is not desirable, the JCA lets developers indicate a specific implementation.

Algorithm independence is achieved by defining types of cryptographic engines (services), and defining classes that provide the functionality of these cryptographic engines. These classes are called engine classes, and examples are the MessageDigest, Signature, KeyFactory, and KeyPairGenerator classes.

Implementation independence is achieved using a provider-based architecture. The term Cryptographic Service Provider (used interchangeably with provider in this document) refers to a package or set of packages that implement one or more cryptographic services, such as digital signature algorithms, message digest algorithms, and key conversion services. A program can simply request a particular type of object (such as a Signature object) that is implementing a particular service (such as the DSA signature algorithm) and get an implementation from one of the installed providers. If desired, a program can instead request an implementation from a specific provider. Providers can be updated transparently to the application, for example when faster or more secure versions are available.

Implementation interoperability means that various implementations can work with each other, use each other's keys, or verify each other's signatures. This interoperability would mean, for example, that for the same algorithms, a key generated by one provider would be usable by another, and a signature generated by one provider would be verifiable by another.

Algorithm extensibility means that new algorithms that fit in one of the supported engine classes can be added easily.