Differences between IBM and Oracle JCE algorithms

This release contains the Oracle security implementation of JCE, instead of the IBM JCE provider implementation. Algorithms that are available in the IBM JCE provider might not be available, or might have different names, in the Oracle providers.

The following tables list the IBM JCE algorithms by type, and their Oracle equivalents (from the SunJCE provider), if available.

Type AlgorithmParameterGenerator

Table 1. Type AlgorithmParameterGenerator
IBMJCE algorithm or alias Equivalent Oracle algorithm
AESGCM Not yet available
EC None

Type AlgorithmParameters

Table 2. Type AlgorithmParameters
IBMJCE algorithm or alias Equivalent Oracle algorithm
AESGCM GCM
3DES DESede1
Mars None
PBEWithHmacSHA1And128BitAES PBEWithHmacSHA1AndAES_128
PBEWithHmacSHA1And256BitAES PBEWithHmacSHA1AndAES_256
PBEWithHmacSHA224And128BitAES PBEWithHmacSHA224AndAES_128
PBEWithHmacSHA224And256BitAES PBEWithHmacSHA224AndAES_256
PBEWithHmacSHA256And128BitAES PBEWithHmacSHA256AndAES_128
PBEWithHmacSHA256And256BitAES PBEWithHmacSHA256AndAES_256
PBEWithHmacSHA384And128BitAES PBEWithHmacSHA384AndAES_128
PBEWithHmacSHA384And256BitAES PBEWithHmacSHA384AndAES_256
PBEWithHmacSHA512And128BitAES PBEWithHmacSHA512AndAES_128
PBEWithHmacSHA512And256BitAES PBEWithHmacSHA512AndAES_256
PBEWithMD2AndDES None
PBEWithMD2AndRC2 None
PBEWithMD2AndTripleDES
PBEWithMD2And3DES
PBEWithMD2AndDESede
 None
PBEWithMD5AndRC2 None
PBEWithSHAAndDES
PBEWithSHA-1AndDES
PBEWithSHA1AndDES
 None
PBEWithSHA-1And3DES
PBEWithSHA-1AndDESede
PBEWithSHA-1AndTripleDES
PBEWithSHA1And3DES
PBEWithSHA1AndTripleDES
PBEWithSHAAnd3DES
PBEWithSHAAndDESede
PBEWithSHAAndTripleDES
 PBEWithSHA1AndDESede
1.2.840.113549.1.12.1.3
OID.1.2.840.113549.1.12.1.3
 PBEWithSHA1AndDESede 2
PBEWithSHAAnd3KeyTripleDES
PBEWithSHAAnd3Key3DES
PBEWithSHAAnd3KeyDESede
PBEWithSHA-1And3Key3DES
PBEWithSHA-1And3KeyDESede
PBEWithSHA-1And3KeyTripleDES
PBEWithSHA1And3Key3DES
PBEWithSHA1And3KeyDESede
PBEWithSHA1And3KeyTripleDES
 PBEWithSHA1AndDESede
PBEWithSHAAnd2KeyTripleDES
PBEWithSHAAnd2Key3DES
PBEWithSHAAnd2KeyDESede
PBEWithSHA-1And2Key3DES
PBEWithSHA-1And2KeyDESede
PBEWithSHA-1And2KeyTripleDES
PBEWithSHA1And2Key3DES
PBEWithSHA1And2KeyDESede
PBEWithSHA1And2KeyTripleDES
 None
PBEWithSHAAnd40BitRC2
PBEWithSHA-1And40BitRC2
PBEWithSHA1And40BitRC2
 PBEWithSHA1AndRC2_40
PBEWithSHAAnd128BitRC2
PBEWithSHA-1And128BitRC2
PBEWithSHA1And128BitRC2
 PBEWithSHA1AndRC2_128
PBEWithSHAAnd40BitRC4
PBEWithSHA-1And40BitRC4
PBEWithSHA1And40BitRC4
 PBEWithSHA1AndRC4_40
PBEWithSHAAnd128BitRC4
PBEWithSHA-1And128BitRC4
PBEWithSHA1And128BitRC4
 PBEWithSHA1AndRC4_128
PBM
1.2.840.113533.7.66.13
OID.1.2.840.113533.7.66.13
PasswordBasedMac
 None
Table notes:
  1. Non-standard aliases that are available from the IBMJCE provider are not available from Oracle providers. Use a standard algorithm name instead.
  2. The IBMJCE provider maps these object identifiers to PBEWithSHAAnd3KeyTripleDES. The Oracle equivalent maps these object identifiers to PBEWithSHA1AndDESede.

Type Cipher

Table 3. Type Cipher
IBMJCE algorithm or alias Equivalent Oracle algorithm
2.16.840.1.102.3.4.1.28
2.16.840.1.101.3.4.1.48
2.16.840.1.101.3.4.1.8
OID.2.16.840.1.102.3.4.1.28
OID.2.16.840.1.101.3.4.1.48
OID.2.16.840.1.101.3.4.1.8
 AESWrap1
ElGamal None
Mars None
PBEWithHmacSHA1And128BitAES PBEWithHmacSHA1AndAES_128
PBEWithHmacSHA1And256BitAES PBEWithHmacSHA1AndAES_256
PBEWithHmacSHA224And128BitAES PBEWithHmacSHA224AndAES_128
PBEWithHmacSHA224And256BitAES PBEWithHmacSHA224AndAES_256
PBEWithHmacSHA256And128BitAES PBEWithHmacSHA256AndAES_128
PBEWithHmacSHA256And256BitAES PBEWithHmacSHA256AndAES_256
PBEWithHmacSHA384And128BitAES PBEWithHmacSHA384AndAES_128
PBEWithHmacSHA384And256BitAES PBEWithHmacSHA384AndAES_256
PBEWithHmacSHA512And128BitAES PBEWithHmacSHA512AndAES_128
PBEWithHmacSHA512And256BitAES PBEWithHmacSHA512AndAES_256
PBEWithMD2AndDES None
PBEWithMD2AndRC2 None
PBEWithMD2AndTripleDES
PBEWithMD2And3DES
PBEWithMD2AndDESede
 None
PBEWithMD5AndRC2 None
PBEWithMD5And3DES
PBEWithMD5AndDESede
 PBEWithMD5AndTripleDES
PBEWithSHA1AndDES
PBEWithSHA-1AndDES
PBEWithSHAAndDES
OID.1.2.840.113549.1.5.10
 None
PBEWithSHA-1And3DES
PBEWithSHA-1AndDESede
PBEWithSHA-1AndTripleDES
PBEWithSHA1And3DES
PBEWithSHA1AndTripleDES
PBEWithSHAAnd3DES
PBEWithSHAAndDESede
PBEWithSHAAndTripleDES
 PBEWithSHA1AndDESede
1.2.840.113549.1.12.1.3
OID.1.2.840.113549.1.12.1.3
 PBEWithSHA1AndDESede2
PBEWithSHAAnd3KeyTripleDES
PBEWithSHAAnd3Key3DES
PBEWithSHAAnd3KeyDESede
PBEWithSHA-1And3Key3DES
PBEWithSHA-1And3KeyDESede
PBEWithSHA-1And3KeyTripleDES
PBEWithSHA1And3Key3DES
PBEWithSHA1And3KeyDESede
PBEWithSHA1And3KeyTripleDES
 PBEWithSHA1AndDESede
PBEWithSHAAnd2KeyTripleDES
PBEWithSHAAnd2Key3DES
PBEWithSHAAnd2KeyDESede
PBEWithSHA-1And2Key3DES
PBEWithSHA-1And2KeyDESede
PBEWithSHA-1And2KeyTripleDES
PBEWithSHA1And2Key3DES
PBEWithSHA1And2KeyDESede
PBEWithSHA1And2KeyTripleDES
 None
PBEWithSHA1AndRC2
PBEWithSHA-1AndRC2
PBEWithSHAAndRC2
OID.1.2.840.113549.1.5.11
 None
PBEWithSHAAnd40BitRC2
PBEWithSHA-1And40BitRC2
PBEWithSHA1And40RC2
 PBEWithSHA1AndRC2_40
PBEWithSHAAnd128BitRC2
PBEWithSHA-1And128BitRC2
PBEWithSHA1And128BitRC2
 PBEWithSHA1AndRC2_128
PBEWithSHAAnd40BitRC4
PBEWithSHA-1And40BitRC4
PBEWithSHA1And40BitRC4
 PBEWithSHA1AndRC4_40
PBEWithSHAAnd128BitRC4
PBEWithSHA-1And128BitRC4
PBEWithSHA1And128BitRC4
 PBEWithSHA1AndRC4_128
RSAwithNoPad RSA/ECB/NoPadding
RSAforSSL RSA/SSL/PKCS1Padding RSA/ECB/PKCS1Padding
Seal None
Table notes:
  1. The IBMJCE provider maps these object identifiers to Cipher.AESWrap. The Oracle equivalent does not have these object identifiers.
  2. The IBMJCE provider maps these object identifiers to PBEWithSHAAnd3KeyTripleDES. The Oracle equivalent maps these object identifiers to PBEWithSHA1AndDESede.

Type KeyFactory

Table 4. Type KeyFactory
IBMJCE algorithm or alias Equivalent Oracle algorithm Oracle provider Notes
DSAKeyFactory DSA SUN Non-standard aliases that are available from the IBMJCE provider are not available from Oracle providers. Use a standard algorithm name instead.
1.2.840.10045.2.1
OID.1.2.840.10045.2.1
 EC SunEC The IBMJCE provider maps these object identifiers to EC. Oracle does not have these object identifiers.
1.2.5.8.1.1 1.2.840.113549.1.1.1
OID.1.2.5.8.1.1
OID.1.2.840.113549.1.1.1
 RSA SunRsaSign The IBMJCE provider maps these object identifiers to RSA. Oracle does not have these object identifiers. Both the IBMJCE provider and the Oracle equivalent have object identifiers for 1.2.840.113549.1.1 and OID.1.2.840.113549.1.1.

Type KeyGenerator

Table 5. Type KeyGenerator
IBMJCE algorithm or alias Equivalent Oracle algorithm
2.16.840.1.101.3.4.1
OID.2.16.840.1.101.3.4.1
 AES1
3DES DESede2
HmacMD2
HMACwithMD2
 None
HMACwithMD5 HmacMD52
HMACwithSHA1 HmacSHA12
HMACwithSHA224 HmacSHA2242
HMACwithSHA256 HmacSHA2562
HMACwithSHA384 HmacSHA3842
HMACwithSHA512 HmacSHA5122
Mars None
Seal None
Table notes:
  1. IBMJCE maps these object identifiers to AES. Oracle does not have these object identifiers.
  2. Non-standard aliases that are available from the IBMJCE provider are not available from Oracle providers. Use a standard algorithm name instead.

Type KeyPairGenerator

Table 6. Type KeyPairGenerator
IBMJCE algorithm or alias Equivalent Oracle algorithm Oracle provider Notes
OID.1.3.14.3.2.12 1.3.14.3.2.12 SUN This object identifier maps to KeyPairGenerator.DSA. Alternatively, you can use 1.2.840.10040.4.1 or DSA.
1.2.840.10045.2.1
OID.1.2.840.10045.2.1
 EC SunEC The IBMJCE provider maps these object identifiers to EC. Oracle does not have these object identifiers.
1.2.5.8.1.1
OID.1.2.5.8.1.1
 RSA SunRsaSign IBMJCE maps these object identifiers to RSA. Oracle does not have these object identifiers. Both the IBMJCE provider and the Oracle equivalent have object identifiers for 1.2.840.113549.1.1 and OID.1.2.840.113549.1.1.

Type KeyStore

Table 7. Type KeyStore
IBMJCE algorithm or alias Equivalent Oracle algorithm Oracle provider Notes
JCERACFKS None    
PKCS12
PKCS12KS
 PKCS12 SUN The IBM JCE implementation of PKCS12 is the same as the Oracle implementation of PKCS12.
PKCS12JarSigner None    
PKCS12S2 PKCS12 SUN The IBM JCE implementation of PKCS12S2 is the same as the Oracle implementation of PKCS12.

Type Mac

Table 8. Type Mac
IBMJCE algorithm or alias Equivalent Oracle algorithm
AUTH_HMAC_SHA_256_128 None
AUTH_HMAC_SHA_512_256 None
HmacMD2
HMACwithMD2
 None
HMACwithMD5 HmacMD51
HMACwithSHA1 HmacSHA11
HMACwithSHA224 HmacSHA2241
HMACwithSHA256 HmacSHA2561
HMACwithSHA384 HmacSHA3841
HMACwithSHA512 HmacSHA5121
PBM
1.2.840.113533.7.66.13
OID.1.2.840.113533.7.66.13
PasswordBasedMac
 None
Table notes:
  1. Non-standard aliases that are available from the IBMJCE provider are not available from Oracle providers. Use a standard algorithm name instead.

Type MessageDigest

Table 9. Type MessageDigest
IBMJCE algorithm or alias Equivalent Oracle algorithm
MD4 None
SHA224 SHA-2241
SHA2
SHA-2
SHA256
 SHA-2561
SHA3
SHA-3
SHA384
 SHA-3841
SHA5
SHA-5
SHA512
 SHA-5121
Table notes:
  1. Non-standard aliases that are available from the IBMJCE provider are not available from Oracle providers. Use a standard algorithm name instead.

Type SecretKeyFactory

Table 10. Type SecretKeyFactory
IBMJCE algorithm or alias Equivalent Oracle algorithm
AES
2.16.840.1.101.3.4.1
OID.2.16.840.1.101.3.4.1
 None
3DES DESede1
Mars None
PBEWithHmacSHA1And128BitAES PBEWithHmacSHA1AndAES_128
PBEWithHmacSHA1And256BitAES PBEWithHmacSHA1AndAES_256
PBEWithHmacSHA224And128BitAES PBEWithHmacSHA224AndAES_128
PBEWithHmacSHA224And256BitAES PBEWithHmacSHA224AndAES_256
PBEWithHmacSHA256And128BitAES PBEWithHmacSHA256AndAES_128
PBEWithHmacSHA256And256BitAES PBEWithHmacSHA256AndAES_256
PBEWithHmacSHA384And128BitAES PBEWithHmacSHA384AndAES_128
PBEWithHmacSHA384And256BitAES PBEWithHmacSHA384AndAES_256
PBEWithHmacSHA512And128BitAES PBEWithHmacSHA512AndAES_128
PBEWithHmacSHA512And256BitAES PBEWithHmacSHA512AndAES_256
PBEWithMD2AndDES None
PBEWithMD2AndRC2 None
PBEWithMD2AndTripleDES
PBEWithMD2And3DES
PBEWithMD2AndDESede
 None
PBEWithMD5AndRC2 None
PBEWithMD5And3DES
PBEWithMD5AndDESede
 PBEWithMD5AndTripleDES
PBEWithSHAAndDES
PBEWithSHA-1AndDES
PBEWithSHA1AndDES
 None
PBEWithSHA-1And3DES
PBEWithSHA-1AndDESede
PBEWithSHA-1AndTripleDES
PBEWithSHA1And3DES
PBEWithSHA1AndTripleDES
PBEWithSHAAnd3DES
PBEWithSHAAndDESede
PBEWithSHAAndTripleDES
 PBEWithSHA1AndDESede
1.2.840.113549.1.12.1.3
OID.1.2.840.113549.1.12.1.3
 PBEWithSHA1AndDESede2
PBEWithSHAAnd3KeyTripleDES
PBEWithSHAAnd3Key3DES
PBEWithSHAAnd3KeyDESede
PBEWithSHA-1And3Key3DES
PBEWithSHA-1And3KeyDESede
PBEWithSHA-1And3KeyTripleDES
PBEWithSHA1And3Key3DES
PBEWithSHA1And3KeyDESede
PBEWithSHA1And3KeyTripleDES
 PBEWithSHA1AndDESede
PBEWithSHA1AndRC2
PBEWithSHA-1AndRC2
PBEWithSHAAndRC2
 None
PBEWithSHAAnd40BitRC2
PBEWithSHA-1And40BitRC2
PBEWithSHA1And40RC2
 PBEWithSHA1AndRC2_40
PBEWithSHAAnd128BitRC2
PBEWithSHA-1And128BitRC2
PBEWithSHA1And128BitRC2
 PBEWithSHA1AndRC2_128
PBEWithSHAAnd40BitRC4
PBEWithSHA-1And40BitRC4
PBEWithSHA1And40BitRC4
 PBEWithSHA1AndRC4_40
PBEWithSHAAnd128BitRC4
PBEWithSHA-1And128BitRC4
PBEWithSHA1And128BitRC4
 PBEWithSHA1AndRC4_128
PBKDF1 None
PBKDF2 None
PKCS5Key None
RC2 None
RC4 None
Seal None
Table notes:
  1. Non-standard aliases that are available from the IBMJCE provider are not available from Oracle providers. Use a standard algorithm name instead.
  2. The IBMJCE provider maps these object identifiers to PBEWithSHAAnd3KeyTripleDES. The Oracle equivalent maps these object identifiers to PBEWithSHA1AndDESede.

Type SecureRandom

Table 11. Type SecureRandom
IBMJCE algorithm or alias Equivalent Oracle algorithm
HASHDRBG DRBG
IBMSecureRandom None1
SHA256DRBG
SHA2DRBG
 None
SHA512DRBG
SHA5DRBG
 None
Table notes:
  1. Start of changes for 11.0.15.0The IBMJCECCA provider still supports the IBMSecureRandom algorithm. If you are using the IBMJCEHybrid provider to route requests between security providers, and the IBMJCECCA provider is not available, the IBMJCEHyrbrid provider routes requests for the IBMSecureRandom algorithm to the Oracle SUN provider and the SecureRandom.SHA1PRNG algorithm.End of changes for 11.0.15.0

Type Signature

Table 12. Type Signature
IBMJCE algorithm or alias Equivalent Oracle algorithm Oracle provider
DSAforSSL NONEWithDSA1 SUN
ECDSALforSSL NONEWithECDSA1 SunEC
1.3.14.3.2.24
MD2/RSA
OID.1.3.14.3.2.24
 MD2withRSA1 SunRsaSign
1.3.14.3.2.25
MD5/RSA
OID.1.3.14.3.2.25
 MD2withRSA1 SunRsaSign
RSAPSS
1.2.840.113549.1.1.10
OID1.2.840.113549.1.1.10
 None  
RSAforSSL NONEWithRSA1 Usually SunEC2
OID.1.3.14.3.2.13
OID.1.3.14.3.2.27
SHA-1withDSA
 SHA1withDSA1 SUN
SHA-1/ECDSA
SHA-1withECDSA
SHA/ECDSA
SHAwithECDSA
 SHA1withECDSA1 SunEC
1.3.14.3.2.26
RSA
SHA/RSA
SHA-1/RSA
SHA1/RSA
SHAwithRSA
SHA-1withRSA
 SHA1withRSA1 SunRsaSign
SHA-2/DSA
SHA-256withDSA
SHA-2withDSA
SHA2/DSA
SHA2withDSA
 SHA256withDSA1 SUN
SHA2/RSA
SHA2withRSA
 SHA256withRSA1 SunRsaSign
SHA2withECDSA
SHA2/ECDSA
 SHA256withECDSA1 SunEC
SHA3withECDSA
SHA3/ECDSA
 SHA384withECDSA1 SunEC
SHA3witRDSA
SHA3/RSA
 SHA384withRSA1 SunRsaSign
SHA5withECDSA
SHA5/ECDSA
 SHA512withECDSA1 SunEC
SHA5withRSA
SHA5/RSA
 SHA512withRSA1 SunRsaSign
Table notes:
  1. Non-standard aliases that are available from the IBMJCE provider are not available from Oracle providers. Use a standard algorithm name instead.
  2. The NONEWithRSA algorithm is unique in that you supply your own MessageDigest object as the data to be signed. A Signature object that does not compute a message digest is therefore required for a provider to service the algorithm. The Oracle java.security.Signature class locates a security provider to service the NONEWithRSA algorithm. If you specify, on your getInstance() call, a particular provider to service the NONEWithRSA algorithm, the java.security.Signature class returns one of the following objects:
    1. An instance of a NONEWithRSA signature object, if the specified provider supports that algorithm
    2. A special NONEWithRSA signature object, if the specified provider supports the RSA/ECB/PKCS1Padding Cipher
    If you do not specify a provider on your getInstance() call, the java.security.Signature class manufactures a NONEWithRSA signature object from an RSA/ECB/PKCS1Padding Cipher object from the first cryptographic provider that offers that cipher algorithm, which is usually SunJCE. The order of preference of providers is determined by the list that is stored in the java.Security class. You can get the list by using the java.Security.getProviders() method.