This document is intended as a companion to the Java™ Cryptography Architecture (JCA) API Specification & Reference. References to chapters not present in this document are to chapters in the JCA Specification.

The Java Cryptography Extension (JCE) provides a framework and implementations for encryption, key generation and key agreement, and Message Authentication Code (MAC) algorithms. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. The software also supports secure streams and sealed objects.

JCE has a provider-based architecture. Providers signed by a trusted entity can be plugged into the JCE framework, and new algorithms can be added seamlessly.

JCE is included as part of the SDK from version 1.4.2 of the SDK.

JCE is based on the same design principles found elsewhere in the JCA: implementation independence and, whenever possible, algorithm independence. It uses the same "provider" architecture.

The JCE API covers:

  • Symmetric bulk encryption, such as DES, RC2, and IDEA
  • Symmetric stream encryption, such as RC4
  • Asymmetric encryption, such as RSA
  • Password-based encryption (PBE)
  • Key Agreement
  • Message Authentication Codes (MAC)

A list of all valid JCE algorithm names can be obtained by using the Java application in See Samples.

The JCE IBM provider, named "IBMJCE", supplies the following cryptographic services:

  • An implementation of the AES, DES (FIPS PUB 46-1), Triple DES, and Blowfish encryption algorithms in the Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Counter (CTR), Output Feedback (OFB), and Propagating Cipher Block Chaining (PCBC) modes. (Note: Throughout this document, the terms "Triple DES" and "DES-EDE" will be used interchangeably.)
  • Key generators for generating keys suitable for the DES, Triple DES, Blowfish, HMAC-MD5, and HMAC-SHA1 algorithms.
  • An implementation of the MD5 with DES-CBC password-based encryption (PBE) algorithm defined in PKCS #5.
  • "Secret-key factories" providing bi-directional conversions between opaque DES, Triple DES and PBE key objects and transparent representations of their underlying key material.
  • An implementation of the Diffie-Hellman key agreement algorithm between two or more parties.
  • A Diffie-Hellman key pair generator for generating a pair of public and private values suitable for the Diffie-Hellman algorithm.
  • A Diffie-Hellman algorithm parameter generator.
  • A Diffie-Hellman "key factory" providing bi-directional conversions between opaque Diffie-Hellman key objects and transparent representations of their underlying key material.
  • Algorithm parameter managers for Diffie-Hellman, DES, Triple DES, Blowfish, and PBE parameters.
  • An implementation of the HMAC-MD5 and HMAC-SHA1 keyed-hashing algorithms defined in RFC 2104.
  • An implementation of the padding scheme described in PKCS#5.
  • A keystore implementation for the proprietary keystore type named "JCEKS", "PKCS12", "JKS".
  • Later versions of JCE have extended these offerings. See What's New.

A Note on Terminology

The JCE release includes two software components:

  • the framework that defines and supports cryptographic services that providers can supply implementations for. This framework includes everything in the javax.crypto package.
  • a provider named "IBMJCE"

Throughout this document, the term JCE refers to the JCE framework. If the full release is mentioned, it will be referred to as the JCE release.