About this Whitepaper
Most developers are aware that writing their own implementations of cryptographic algorithms is inviting security trouble, hence most applications access cryptography through the standard Java Cryptographic Architecture (JCA), using an existing crypto provider or Java Crypto Engine (JCE).
However, using a standard crypto provider is by no means the end of the security story. Developers must take care to choose the right algorithms, manage their parameters in the right way, employ the right cryptographic modes for their applications, take care over random number generation, avoid key management vulnerabilities and put all this together into secure cryptographic protocols.
This whitepaper is intended for developers who use, or are considering using, the Java crypto API, and for application security testers who review crypto security. It is not intended to be an introduction to cryptography, but rather a concise guide for readers familiar with crypto basics. We will tour the Java crypto API and explain common mistakes that cause security problems and crop up frequently in real applications. Finally, we discuss crypto security audit for Java, and show how Cryptosense’ Analyzer can automate the process, drastically improving coverage while reducing time taken.