Most developers are aware that writing their own implementations of cryptographic algorithms is inviting security trouble, hence most applications access cryptography through the standard Java Cryptographic Architecture (JCA), using an existing crypto provider or Java Crypto Engine (JCE).
However, using a standard crypto provider is by no means the end of the security story. Developers must take care to choose the right algorithms, manage their parameters in the right way, employ the right cryptographic modes for their applications, take care over random number generation, avoid key management vulnerabilities and put all this together into secure cryptographic protocols.
This white paper is intended for developers who use, or are considering using, the Java crypto API, and for application security testers who review crypto security. We will tour the Java crypto API and explain common mistakes that cause security problems and crop up frequently in real applications.