Java Crypto: Don’t Just Get it Working, Use it Securely

Tools (716AB) October 5, 2022 1:30 pm - 2:30 pm Feedback     

Bookmark and Share

Mansi Sheth

JavaCrypto is easy-to-use, light-weight, modern library for all core cryptographic operations needed to build higher-level cryptographic tools. It’s a drop-and-hook bundle of APIs responsible for performing various cryptographic primitives, such as encryption, decryption, digital signatures, password storage etc in the most secure way possible while using Java Cryptography Architecture (JCA).

Why do we need this library when JCA already provides a rich set of APIs? Well, JCA reference documentation is exhaustive; however, there is very little emphasis given on security aspect. JCA is loaded with bad architectural designs, over-abundance & insecure choices of algorithms and the list can go on. This tool aims to take away the complexities and responsibilities of implementing it safely and more important keeping up with the latest industry happening.

How is it different from similar projects such as Google Tink, libsodium et al? Java projects needs a native Java Crypto library to work with, forcing us to have a substitute for excellent libsodium. Tink is an option for higher language support, but a bit lost in everything Google making it heavy weight and complex by trying to do too many things & using only its own protocols and tools such as babel & ProtoBuf.

JavaCrypto is a rich collection of highly configurable APIs for all needs. We have support for government approved (AES-GCM, PDKDF2, ECDSA) and not yet approved (Argon2id, Edward Curves) algorithms. We have consciously kept away from supporting any insecure or non-future-proofed algorithms.

Contributing to open source and support DevSecOps principles; JavaCrypto aims to fill the gaps of modular security libraries. As per your architecture, you can choose to pick just the easily-injectable crypto module or combine it with the microservice. You can also grab the containerized version from the docker hub to incorporate it straight into your DevSecOps pipelines.