home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Book Home Java Security Search this book

13.3. Key Types in the JCE

The JCE introduces many new types of keys. Some of these are new types of public and private keys that extend our previous exploration of keys, and some of these are a new type of key: a secret key.

The new public and private key types are defined in the javax.crypto.interfaces package of the JCE as new interfaces:

public interface DHKey
public interface DHPrivateKey extends DHKey, PrivateKey
public interface DHPublicKey extends DHKey, PublicKe y

This set of interfaces defines keys suitable for use in Diffie-Hellman algorithms. In the SunJCE provider, they are used for the key agreement engine.

Like their DSA-based counterparts (the DSAKey, DSAPublicKey, and DSAPrivateKey classes), these interfaces all have specific methods to retrieve the values of certain parameters of the key. Since they are all keys, they support a byte-encoded format as well. For our purposes, however, we'll treat their data as opaque objects. The Diffie-Hellman keys are used in the key agreement protocol we discuss later in this chapter.

13.3.1. Secret Keys

The new type of key in the JCE is a secret key. A secret key is a key that is shared between two parties in a cryptographic operation.

Until now, we've used public key/private key pairs for all our operations. For instance, the digital signature algorithms we explored in Chapter 12, "Digital Signatures" all depended on public key cryptography to alter the message digest of the data they signed. These algorithms chose to use public key encryption because it simplified the way in which keys were exchanged, as well as reducing the number of keys that needed to be exchanged between parties. It is possible to use public and private key pairs to perform encryption of data using the APIs in this chapter; because two different keys are involved, this type of encryption is called asymmetric encryption.

Cryptographic algorithms can also implement symmetric operations, in which case only a single key is necessary. In symmetric encryption, the same key that was originally used to encrypt the data can also be used to decrypt the data. Hence, for these encryption algorithms, only a single key is necessary. This single key is also called a secret key, since the key itself must be kept secret by the parties who are exchanging the encrypted data. Anyone who has access to the key and to the encrypted data also has access to the data.

The key used by the encryption engine--whether it is used by a symmetric or an asymmetric encryption algorithm--is still an instance of the class java.security.Key. Just as there were interfaces that identified types of keys as public (PublicKey) or private (PrivateKey), there is a new SecretKey interface (javax.crypto.SecretKey) that is used by symmetric keys.

public interface SecretKey extends Key

Identify a class as being a symmetric key. Like other extensions of the Key interface, this interface has no methods and is used strictly for type identification.

As usual, there are no classes in the javax package that implement this interface, though some are provided in the sun package. A simple implementation of this interface must include the usual methods that are in the Key interface:

Class Definition

public class XORKey implements SecretKey {
	byte value;

	public XORKey(byte b) {
		value = b;

	public String getAlgorithm() {
		return "XOR";

	public String getFormat() {
		return "XOR Special Format";

	public byte[] getEncoded() {
		byte b[] = new byte[1];
		b[0] = value;
		return b;

Unlike public and private keys, secret keys are not associated with identities and are not integrated into a key management system. Secret keys must therefore be managed with different techniques, which we'll examine at the end of this chapter.

Library Navigation Links

Copyright © 2001 O'Reilly & Associates. All rights reserved.