Encryption Algorithms

Algorithms

There are a few dozen standard algorithms. The ones we’re most likely to be interested in are:

Symmetric Cipher

• KeyGenerator – creates symmetric key
• SecretKeyFactor – converts between symmetric keys and raw bytes
• Cipher – encryption cipher
• AlgorithmParameters – algorithm parameters
• AlgorithmParameterGernerator – algorithm parameters

Asymmetric Cipher

• KeyPairGenerator – creates public/private keys
• KeyFactor – converts between keypairs and raw bytes
• Cipher – encryption cipher
• Signature – digital signatures
• AlgorithmParameters – algorithm parameters
• AlgorithmParameterGernerator – algorithm parameters

Digests

• MessageDigest – digest (MD5, SHA1, etc.)
• Mac – HMAC. Like a message digest but requires an encryption key as well so it can’t be forged by attacker

Certificates and KeyStores

• KeyStore – JKS, PKCS, etc.
• CertStore – like keystore but only stores certs.
• CertificateFactory – converts between digital certificates and raw bytes.

It is critical to remember that most algorithms are provided for backward compatibility and should not be used for in greenfield development. As I write this the generally accepted advice is:

• Use a variant of AES. Only use AES-ECB if you know with absolute certainty that you will never encrypt more than one blocksize (16 bytes) of data.
• Always use a good random IV even if you’re using AES-CBC. Do not use the same IV or an easily predicted one.
• Do not use less than 2048 bits in an asymmetric key.
• Use SHA-256 or better. MD-5 is considered broken, SHA-1 will be considered broken in the near future.
• Use PBKDF2WithHmacSHA1 to create AES key from passwords/passphrases. (See also Creating Password-Based Encryption Keys.)

Some people might want to use one of the other AES-candidate ciphers (e.g., twofish). These ciphers are probably safe but you might run into problems if you’re sharing files with other parties since they’re not in the required cipher suite.

In practice many if not most people use a third-party cryptographic library like BouncyCastle.

Final Notes

1. Storing the text password with hashing is most dangerous thing for application security today.
2. MD5 provides basic hashing for generating secure password hash. Adding salt make it further stronger.
3. MD5 generates 128 bit hash. To make ti more secure, use SHA algorithm which generate hashes from 160-bit to 512-bit long. 512-bit is strongest.
4. Even SHA hashed secure passwords are able to be cracked with today’s fast hardwares. To beat that, you will need algorithms which can make the brute force attacks slower and minimize the impact. Such algorithms are PBKDF2, BCrypt and SCrypt.
5. Please take a well considered thought before applying appropriate security algorithm.
6. Generate Secure Password Hash : MD5, SHA, PBKDF2, BCrypt Examples
7. How to Encrypt user passwords
8. Symmetric and Asymmetic encrption overview 
9. Symmetric-vs-Asymmetric-Encryption