Start of changes for service refresh 5 fix pack 10

IBMJCEPlus and IBMJCEPlusFIPS providers

The IBMJCEPlus and IBMJCEPlusFIPS cryptographic providers are implementations of the Java™ Cryptography Extensions (JCE) APIs, which include, for example: ciphers, signatures, message digests, MACs and HMACs, secure random number generation, and key generation.

The IBMJCEPlusFIPS provider provides cryptographic functions to the IBM JSSE2 provider when the latter is used in FIPS mode, which you can enable if you want to use only FIPS-certified cryptography. For more information, see Running IBMJSSE2 in FIPS mode. This separation of function enables improvements and enhancements in IBM JSSE2 without affecting FIPS certification.

Note:

Start of changes for service refresh 8 fix pack 30

The IBMJCEPlusFIPS and IBMJCEFIPS FIPS 140-2 cryptographic providers are considered deprecated technology on platforms where FIPS 140-3 is made available. When the FIPS 140-3 IBMJCEPlusFIPS cryptographic provider is fully supported for production use, the FIPS 140-2 cryptographic providers on those platforms will be subject to removal and in future these providers will be removed on all platforms, even if there is no FIPS 140-3 substitute. All products and customers will need to move to the new FIPS 140-3 IBMJCEPlusFIPS provider for their FIPS certified cryptography. For more information, see FIPS 140-3. End of changes for service refresh 8 fix pack 30

End of changes for service refresh 8 fix pack 30

Start of changes for service refresh 8 fix pack 35 For proper operation of IBMJCEPlus security provider on z/OS®, install and initialize the Central Processor Assist for Cryptographic Function (CPACF) hardware function and configure the random number files on z/OS. CPACF provides hardware acceleration for various cryptographic operations and is used by IBMJCEPlus to enhance the efficiency of cryptographic processing by offloading tasks from the main CPU. Ensuring that CPACF is properly initialized on z/OS is essential for IBMJCEPlus to function effectively and meet the security and performance demands of enterprise applications. If CPACF is not installed or the random number files are not available, IBMJCEPlus will encounter a java.security.ProviderException: Failed to initialize IBMJCEPlus provider error during startup. For more information about the random number files, see https://www.ibm.com/docs/en/zos/3.1.0?topic=files-random-number. End of changes for service refresh 8 fix pack 35

The IBMJCEPlus and IBMJCEPlusFIPS providers are supported on AIX®, Windows, and Linux®. Start of changes for service refresh 6 fix pack 25 From service refresh 6, fix pack 25, the IBMJCEPlus provider is also supported on z/OS; the IBMJCEPlusFIPS provider is not yet supported on that operating system. End of changes for service refresh 6 fix pack 25 .

With the z17® updates, the following performance improvements for HMAC are available on z/OS platforms.

z17 adds the Message Security Assist Extension 11
Through the IBMJCEPlus provider, Java uses the new KMAC-HMAC-SHA function codes that are available to improve Message digest performance

The z17 HMAC performance improvements were added in service refresh 8, fix pack 45.

The IBMJCEPlus and IBMJCEPlusFIPS cryptographic providers are intended to supersede the IBMJCE and IBMJCEFIPS providers. The newer providers have similar functionality to their older equivalents, although currently the IBMJCEPlus provider does not support key management or use of the keytool utility. The newer providers offer support for newer algorithms (some of which are required for TLS 1.3), other hardware-accelerated cryptographic capabilities (where supported), and performance enhancements. IBMJCEPlusFIPS also has later FIPS certification, which will continue to be renewed when needed; the certificate for IBMJCEFIPS will not be renewed nor will new enhancements be added, so you should use the newer providers where possible.

Start of changes for service refresh 8 fix pack 20

When the JVM is in FIPS 140-2 mode and the IBMJCEPlusFIPS provider is used the following message is displayed:

The IBMJCEPlusFIPS provider is configured for FIPS 140-2. Please note that the 140-2 configuration may be removed in the future.

To turn off the display of this message, set the system property, -Dcom.ibm.fips.silentUsage=true on the command line. End of changes for service refresh 8 fix pack 20

End of changes for service refresh 8 fix pack 20

The providers are contained within a single .jar file called ibmjceplus.jar. The IBMJCEPlus provider is not FIPS-compliant, whereas the IBMJCEPlusFIPS provider is (see Certificate #3064).

Both providers use native interfaces to various hardware platforms, offering hardware-accelerated cryptographic algorithms where supported, which is an advantage over the standard IBMJCE and IBMJCEFIPS providers. Although the IBMJCEPlus and IBMJCEPlusFIPS providers have similar functionality to the IBMJCE and IBMJCEFIPS providers, the "Plus" providers can operate differently in some situations. The following list shows known differences in behavior:

RSA decryption with the NoPadding option leaves padding bytes in the decrypted text because it is not known whether some of the 0 bytes are padding bytes or part of the plaintext. This behavior matches the behavior of the Oracle JDK. The IBMJCE and IBMJCEFIPS providers attempt to remove the padding bytes and strip all leading 0 bytes. Leading 0 bytes in the plaintext are therefore removed in the recovered text.
While in FIPS mode (using IBMJCEPlusFIPS), asymmetric key generation might periodically fail to produce keys of the appropriate size. The underlying implementation might fail with a 1-in-256 chance. If a failure occurs, call the key generation routine again.

Supported algorithms

The following tables show the algorithms that are supported. More algorithm support is intended for future releases.

Support for the following algorithms was added in service refresh 6:

DH
RSAPSS
ChaCha20 and ChaCha20-Poly1305 (IBMJCEPlus provider only)
kda-hkdf-with-sha1, kda-hkdf-with-sha224, kda-hkdf-with-sha256, kda-hkdf-with-shasha384, and kda-hkdf-with-sha512 (IBMJCEPlus provider only)

Start of changes for service refresh 6 fix pack 10

Support for the following algorithms was added in service refresh 6, fix pack 10:

XDH (X25519, X448)

End of changes for service refresh 6 fix pack 10

Support for the following algorithms was added in service refresh 7:

HMAC-SHA3 algorithms for message authentication code (IBMJCEPlus provider only)
SHA3 algorithms for creating message digests (IBMJCEPlus provider only)

Start of changes for service refresh 7 fix pack 5

Support for the following algorithm was updated in service refresh 7 fix pack 5:

The AES algorithm now supports the CTR cipher mode of operation.

End of changes for service refresh 7 fix pack 5

Start of changes for service refresh 8 fix pack 15

Support for the following cipher mode was added in service refresh 8 fix pack 15:

CCM mode for the AES cipher

End of changes for service refresh 8 fix pack 15

Support for the following algorithms was added in service refresh 8 fix pack 20:

Password Based Encryption (PBE) algorithm parameter.
PBEWith<digest>And<encryption>: The password-based encryption cipher algorithm (PKCS #5), using the specified message digest (<digest>) and encryption algorithm (<encryption>). Some combinations of <digest> and <encryption> might not be valid.
- <digest> can have one of the following values: MD2, MD5, SHA, SHA1, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512
- <encryption> can have one of the following values: DES, DESede, TripleDES, 2KeyTripleDES, 3KeyTripleDES, RC4_40, RC4_128, AES_128, AES_256
PBEWith<digest>and<encryption>: The password-based secret key factory algorithm using the specified message digest (<digest>) and encryption algorithm (<encryption>). Some combinations of <digest> and <encryption> might not be valid.
- <digest> can have one of the following values: MD2, MD5, SHA, SHA1, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512
- <encryption> can have one of the following values: DES, DESede, TripleDES, 2KeyTripleDES, 3KeyTripleDES, RC4_40, RC4_128, AES_128, AES_256
PBKDF2With<digest>: The password-based secret key factory algorithm using the specified message digest (<digest>).
- <digest> can have one of the following values: HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512

Start of changes for service refresh 8 fix pack 50

IBMJCEPlus provider enhances the security of Java applications by providing an implementation of quantum-resistant Module-Lattice-Based Digital Signature Algorithm (ML-DSA) and quantum-resistant Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM). While digital signatures are used to detect unauthorized modifications to data and to authenticate the identities of signatories cryptography, key encapsulation mechanisms are used to secure symmetric communication channels by using public key. Both ML-DSA and ML-KEM are designed to be secure against future quantum computing attacks. ML-DSA has been standardized by the United States National Institute of Standards and Technology (NIST) in FIPS 204 and ML-KEM in FIPS 203.

Support for the following algorithms was added in service refresh 8 fix pack 50:

ML-DSA-44, ML-DSA-65, ML-DSA-87
ML-KEM-512, ML-KEM-768, ML-KEM-1024

Draft versions of RFCs for these algorithms are available at following locations:

The implementations might change in the future when the RFCs are finalized.

The ML-DSA and ML-KEM algorithms are supported in 64-bit JVMs in the following environments:

Linux on X86
Linux on IBM® Power® Little Endian (LE)
AIX on POWER®
Windows

ML-KEM is externalized to Java Applications as a Key Agreement algorithm but differs from other Key Agreement algorithms like Diffie-Hellman in the following aspects:

ML-KEM key agreement supports key agreements between two parties only, not multiple parties.
ML-KEM key pair generation ignores any externally provided seed and instead uses an internally generated seed.
A shared secret that is computed by this algorithm is exactly 32 bytes.
During the init methods, AlgorithmParameterSpec parameterSpec is ignored and ML-KEM algorithm that is associated with PrivateKey is used.
Unlike Diffie-Hellman, engineGenerateSecret method is not used to compute a shared secret between two parties. Calling this method results in an IllegalStateException with a message “Unsupported operation. This operation is unsupported. A shared secret is computed during doPhase”.
Computation of a shared secret and decryption of a previously encrypted shared secret is done by using the doPhase method. This method accepts a PQCPublic Key and a Boolean parameter true. The method returns a computed shared secret and an encrypted format of the secret in a PQCKEMSecret object that extends a Java Key class.

The computed secret can then be used as a seed to a Symmetric Key Algorithm like AES KeyGenerator but must be done by a Java application separately.

The steps to compute a shared secret between two parties are illustrated with an example in Appendix D. In the example, Alice and Bob generate a shared secret. The shared secret between Alice and Bob is compared to illustrate successful key agreement. End of changes for service refresh 8 fix pack 50

End of changes for service refresh 8 fix pack 50

Table 1. Algorithms supported by the IBMJCEPlus provider
API	Supported algorithms
Algorithm parameter	AES, CCM, ChaCha20, ChaCha20-Poly1305, DESede, DH, DSA, EC, GCM, OAEP, PBE, RSAPSS,
Algorithm parameter generator	CCM, DH, DSA, EC, GCM
Cipher algorithms	AES, ChaCha20, ChaCha20-Poly1305, DESede, PBEWith<digest>And<encryption>, RSA
Cipher modes	AES supports these modes: CBC, CCM, CFB8, CFB128, CFB, CTR, ECB, GCM, OFB DESede supports these modes: CBC, ECB RSA supports these modes: null, ECB, SSL
Key agreement algorithms	DH, ECDH, ML-KEM-512, ML-KEM-768, ML-KEM-1024, XDH, X25519, X448
Key factory	DH, DSA, EC, EdDSA, Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87, ML-KEM-512, ML-KEM-768, ML-KEM-1024, RSA, RSAPSS, XDH, X25519, X448
Key generator	AES, ChaCha20, DESede, HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 , kda-hkdf-with-sha1, kda-hkdf-with-sha224, kda-hkdf-with-sha256, kda-hkdf-with-shasha384, kda-hkdf-with-sha512
Key pair generator	DH, DSA, EC, ML-DSA-44, ML-DSA-65, ML-DSA-87, ML-KEM-512, ML-KEM-768, ML-KEM-1024, RSA, XDH, X25519, X448
Message authentication code (MAC)	HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512
Message digest	MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512
Secret key factory	AES, ChaCha20, DESede, PBEWith<digest>And<encryption>, PBKDF2With<digest>
Secure random	HASHDRBG, SHA256DRBG (default), SHA512DRBG
Signature algorithms	EdDSA, Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87, NONEwithDSA, NONEwithECDSA, NONEwithRSA, RSAPSS, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA1withECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA3-224withDSA, SHA3-256withDSA, SHA3-384withDSA, SHA3-512withDSA, SHA3-224withECDSA, SHA3-256withECDSA, SHA3-384withECDSA, SHA3-512withECDSA, SHA3-224withRSA, SHA3-256withRSA, SHA3-384withRSA, SHA3-512withRSA

Table 2. Algorithms supported by the IBMJCEPlusFIPS provider
API	Supported algorithms
Algorithm parameter	AES, CCM, DESede, DH, DSA, EC, GCM, OAEP, RSAPSS
Algorithm parameter generator	CCM, DH, DSA, EC, GCM
Cipher algorithms	AES, DESede, RSA
Cipher modes	AES supports these modes: CBC, CCM, CFB8, CFB128, CFB, CTR, ECB, GCM, OFB DESede supports these modes: CBC, ECB RSA supports these modes: null, ECB, SSL
Key agreement algorithms	DH, ECDH
Key factory	DH, DSA, EC, RSA, RSAPSS
Key generator	AES, DESede, HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512
Key pair generator	DH, DSA, EC, RSA
Message authentication code (MAC)	HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512
Message digest	MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
Secret key factory	AES, DESede
Secure random	HASHDRBG, SHA256DRBG, SHA512DRBG
Signature algorithms	NONEwithDSA, SHA1withDSA, SHA224withDSA, SHA256withDSA, NONEwithECDSA, SHA1withECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, NONEwithRSA, SHA1withRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, RSAPSS

Supported elliptic curves

The following table lists the elliptic curves that the IBMJCEPlus and IBMJCEPlusFIPS providers implement, their object identifier, and any additional names or aliases that are used to refer to them. All the strings that appear in one row refer to the same curve. For example, the strings secp256r1, 1.2.840.10045.3.1.7, NIST P-256, and

X9.62
prime256v1

refer to the same curve. You can use the curve names to create parameter specifications for EC parameter generation with the ECGenParameterSpec class. Start of changes for service refresh 7 fix pack 15

Start of changes for service refresh 7 fix pack 15

IBMJCEPlus and IBMJCEPlusFIPS providers are enhanced to support Brainpool elliptic curves in service refresh 7 fix pack 15. End of changes for service refresh 7 fix pack 15

End of changes for service refresh 7 fix pack 15

Table 3. Elliptic curves implemented by IBMJCEPlus and IBMJCEPlusFIPS
Curve name	Object identifier	Additional names or aliases
`secp160k1`	`1.3.132.0.9`
`secp160r1`	`1.3.132.0.8`
`secp160r2`	`1.3.132.0.30`
`secp192k1`	`1.3.132.0.31`
`secp192r1`	`1.2.840.10045.3.1.1`	`NIST P-192, X9.62 prime192v1`
`secp224k1`	`1.3.132.0.32`
`secp224r1`	`1.3.132.0.33`	`NIST P-224`
`secp256k1`	`1.3.132.0.10`
`secp256r1`	`1.2.840.10045.3.1.7`	`NIST P-256, X9.62 prime256v1`
`secp384r1`	`1.3.132.0.34`	`NIST P-384`
`secp521r1`	`1.3.132.0.35`	`NIST P-521`
`X9.62 prime192v2`	`1.2.840.10045.3.1.2`
`X9.62 prime192v3`	`1.2.840.10045.3.1.3`
`X9.62 prime239v1`	`1.2.840.10045.3.1.4`
`X9.62 prime239v2`	`1.2.840.10045.3.1.5`
`X9.62 prime239v3`	`1.2.840.10045.3.1.6`
`brainpoolP160r1`	`1.3.36.3.3.2.8.1.1.1`
`brainpoolP192r1`	`1.3.36.3.3.2.8.1.1.3`
`brainpoolP224r1`	`1.3.36.3.3.2.8.1.1.5`
`brainpoolP256r1`	`1.3.36.3.3.2.8.1.1.7`
`brainpoolP320r1`	`1.3.36.3.3.2.8.1.1.9`
`brainpoolP384r1`	`1.3.36.3.3.2.8.1.1.11`
`brainpoolP512r1`	`1.3.36.3.3.2.8.1.1.13`

The following table lists other elliptic curves that are implemented by the IBMJCEPlus provider only.

Table 4. Elliptic curves implemented by the IBMJCEPlus provider only
Curve name	Object identifier
`secp112r1`	`1.3.132.0.6`
`secp112r2`	`1.3.132.0.7`
`secp128r1`	`1.3.132.0.28`
`secp128r2`	`1.3.132.0.29`

Known limitations

These limitations also affect the IBMJSSE2 provider, if you use it with the IBMJCEPlus or IBMJCEPlusFIPS provider.

Elliptic Curve Diffie-Hellman Key Agreement is supported. Diffie-Hellman Key Agreement is supported only from service refresh 6.
RSA private keys must be CRT (Chinese Remainder Theorem) keys. Private keys without the CRT parameters are not supported. Generated key pairs will have CRT private keys.
RSA decryption with the NoPadding option might leave padding bytes in the decrypted text.
Binary Elliptic Curves are not supported.
IBMJCEPlusFIPS asymmetric key generation might periodically fail to produce keys of the appropriate size (1 in 256 chance). If this situation occurs, call the key generation routine again.
The providers in IBMJCEPlus do not have their own Keystore implementations. Instead, Keystore implementations (JKS, JCEKS, PKCS#12) come from the IBMJCE provider.
The RSA-PSS signature object cannot be initialized with a message digest algorithm that is not the same as the one supplied in the MGFParameterSpec.
Before service refresh 7, the IBMJCEPlus and IBMJCEPlusFIPS providers did not support Cipher.update encryption and decryption operations for the AES-GCM algorithm (see Encrypting and Decrypting Data). From service refresh 7, this restriction is removed.
AES-GCM encryption and decryption Cipher.update operations should be done only for large amounts of data that need to be protected, for the following reason. The authentication tag can be validated only on the doFinal (Cipher.doFinal()) operation; if the doFinal operation fails for any reason, all plaintext that is returned from a previous update operation must be discarded. For smaller amounts of data, it is therefore sensible to run only doFinal operations.

AES-GCM is not suggested for use with the cipher stream APIs (CipherInputStream and CipherOutputStream) because these APIs were not designed to deal with the complexities of AES-GCM, such as the one just described.
RSAPSS signature does not support RSA plain keys.
RSAPSS supports SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 as input digest algorithms.
EdDSA signature supports two pure modes of Ed25519 or Ed448. Ed25519ph, Ed448ph and Ed25519ctx are not supported.
CCM mode for the AES cipher does not support Cipher.update(). Only Cipher.doFinal() is supported.
When JSSE is enabled to run in FIPS 140-2 mode, RSA key exchange cipher suites are disabled because of the Timing Oracle in RSA Decryption CVE-2023--33850 issue. As the fix could not be provided, RSA encryption and decryption support has been removed from the IBMJCEPlusFIPS provider for FIPS 140-2. The RSA encryption and decryption support is available in the IBMJCEPlus provider and can be used instead. The CVE-2023--33850 issue impacts the following cipher suites:
- SSL_RSA_WITH_AES_256_GCM_SHA384
- SSL_RSA_WITH_AES_128_GCM_SHA256
- SSL_RSA_WITH_AES_256_CBC_SHA256
- SSL_RSA_WITH_AES_128_CBC_SHA256
- SSL_RSA_WITH_AES_256_CBC_SHA
- SSL_RSA_WITH_AES_128_CBC_SHA

End of changes for service refresh 5 fix pack 10