En este documento, se describe la manera adecuada de usar los recursos criptográficos de Android y se incluyen algunos ejemplos. Si tu app requiere una clave de seguridad mayor, usa el sistema de almacén de claves de Android.
Especifica un proveedor solo con el sistema Android Keystore
Si usas el sistema Android Keystore, debes especificar un proveedor.
Sin embargo, en otras situaciones, Android no garantiza un proveedor en particular para un algoritmo determinado. Especificar un proveedor sin utilizar el sistema de almacén de claves de Android podría provocar problemas de compatibilidad en versiones futuras.
Elige un algoritmo recomendado
Si tienes la libertad de elegir qué algoritmo usar (por ejemplo, si no requieres compatibilidad con un sistema de terceros), te recomendamos que uses los siguientes algoritmos:
Clase | Recomendación |
---|---|
Cifrado | AES en modo CBC o GCM con claves de 256 bits (como AES/GCM/NoPadding ) |
MessageDigest | Familia SHA-2 (p. ej., SHA-256 ) |
Mac | HMAC de la familia SHA-2 (p. ej., HMACSHA256 ) |
Firma | Familia SHA-2 con ECDSA (p. ej., SHA256withECDSA ) |
Ejecuta operaciones criptográficas comunes
En las siguientes secciones, se incluyen fragmentos que demuestran cómo puedes realizar operaciones criptográficas comunes en tu app.
Lee un archivo
Kotlin
// Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC val mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec) val fileToRead = "my_sensitive_data.txt" val encryptedFile = EncryptedFile.Builder( File(DIRECTORY, fileToRead), applicationContext, mainKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build() val inputStream = encryptedFile.openFileInput() val byteArrayOutputStream = ByteArrayOutputStream() var nextByte: Int = inputStream.read() while (nextByte != -1) { byteArrayOutputStream.write(nextByte) nextByte = inputStream.read() } val plaintext: ByteArray = byteArrayOutputStream.toByteArray()
Java
Context context = getApplicationContext(); // Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC; String mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec); String fileToRead = "my_sensitive_data.txt"; EncryptedFile encryptedFile = new EncryptedFile.Builder( new File(DIRECTORY, fileToRead), context, mainKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build(); InputStream inputStream = encryptedFile.openFileInput(); ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); int nextByte = inputStream.read(); while (nextByte != -1) { byteArrayOutputStream.write(nextByte); nextByte = inputStream.read(); } byte[] plaintext = byteArrayOutputStream.toByteArray();
Escribe un archivo
Kotlin
// Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC val mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec) // Create a file with this name, or replace an entire existing file // that has the same name. Note that you cannot append to an existing file, // and the file name cannot contain path separators. val fileToWrite = "my_sensitive_data.txt" val encryptedFile = EncryptedFile.Builder( File(DIRECTORY, fileToWrite), applicationContext, mainKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build() val fileContent = "MY SUPER-SECRET INFORMATION" .toByteArray(StandardCharsets.UTF_8) encryptedFile.openFileOutput().apply { write(fileContent) flush() close() }
Java
Context context = getApplicationContext(); // Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC; String mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec); // Create a file with this name, or replace an entire existing file // that has the same name. Note that you cannot append to an existing file, // and the file name cannot contain path separators. String fileToWrite = "my_sensitive_data.txt"; EncryptedFile encryptedFile = new EncryptedFile.Builder( new File(DIRECTORY, fileToWrite), context, mainKeyAlias, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build(); byte[] fileContent = "MY SUPER-SECRET INFORMATION" .getBytes(StandardCharsets.UTF_8); OutputStream outputStream = encryptedFile.openFileOutput(); outputStream.write(fileContent); outputStream.flush(); outputStream.close();
Encripta un mensaje
Kotlin
val plaintext: ByteArray = ... val keygen = KeyGenerator.getInstance("AES") keygen.init(256) val key: SecretKey = keygen.generateKey() val cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING") cipher.init(Cipher.ENCRYPT_MODE, key) val ciphertext: ByteArray = cipher.doFinal(plaintext) val iv: ByteArray = cipher.iv
Java
byte[] plaintext = ...; KeyGenerator keygen = KeyGenerator.getInstance("AES"); keygen.init(256); SecretKey key = keygen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] ciphertext = cipher.doFinal(plaintext); byte[] iv = cipher.getIV();
Genera un resumen del mensaje
Kotlin
val message: ByteArray = ... val md = MessageDigest.getInstance("SHA-256") val digest: ByteArray = md.digest(message)
Java
byte[] message = ...; MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] digest = md.digest(message);
Genera una firma digital
Debes tener un objeto PrivateKey que contenga la clave de firma, que puedes generar en el entorno de ejecución, leer desde un archivo incluido en tu app u obtener de alguna otra fuente según tus necesidades.
Kotlin
val message: ByteArray = ... val key: PrivateKey = ... val s = Signature.getInstance("SHA256withECDSA") .apply { initSign(key) update(message) } val signature: ByteArray = s.sign()
Java
byte[] message = ...; PrivateKey key = ...; Signature s = Signature.getInstance("SHA256withECDSA"); s.initSign(key); s.update(message); byte[] signature = s.sign();
Verifica una firma digital
Debes tener un objeto PublicKey que contenga la clave pública del firmante, que puedes leer de un archivo incluido en tu app, extraer de un certificado u obtener de alguna otra fuente según tus necesidades.
Kotlin
val message: ByteArray = ... val signature: ByteArray = ... val key: PublicKey = ... val s = Signature.getInstance("SHA256withECDSA") .apply { initVerify(key) update(message) } val valid: Boolean = s.verify(signature)
Java
byte[] message = ...; byte[] signature = ...; PublicKey key = ...; Signature s = Signature.getInstance("SHA256withECDSA"); s.initVerify(key); s.update(message); boolean valid = s.verify(signature);
Complejidades de implementación
Hay algunos detalles de la implementación de la criptografía de Android que parecen poco comunes, pero que se incluyen debido a problemas de compatibilidad. En esta sección, se analizan los que probablemente encontrarás.
Resumen del mensaje de OAEP MGF1
Los cifrados de RSA OAEP se parametrizan mediante dos resúmenes de mensajes diferentes: el resumen "principal" y el resumen de MGF1. Existen identificadores de algoritmo de cifrado que incluyen nombres de resumen, como Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding")
, que especifican el resumen principal y dejan el resumen de MGF1 sin especificar. En el caso del almacén de claves de Android, se usa SHA-1 para el resumen de MGF1, mientras que, para otros proveedores de criptografía de Android, los dos resúmenes son iguales.
Para tener más control sobre los resúmenes que utiliza tu app, debes solicitar un algoritmo de cifrado con OAEPPadding, como en Cipher.getInstance("RSA/ECB/OAEPPadding")
, y proporcionar una OAEPParameterSpec
a init()
a fin de elegir de manera explícita ambos resúmenes.
Kotlin
val key: Key = ... val cipher = Cipher.getInstance("RSA/ECB/OAEPPadding") .apply { // To use SHA-256 the main digest and SHA-1 as the MGF1 digest init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT)) // To use SHA-256 for both digests init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT)) }
Java
Key key = ...; Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // To use SHA-256 the main digest and SHA-1 as the MGF1 digest cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT)); // To use SHA-256 for both digests cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT));
Funcionalidad obsoleta
En las siguientes secciones, se describe la funcionalidad obsoleta que ya no debes usar en la app.
Algoritmos de Bouncy Castle
Las implementaciones de Bouncy Castle de muchos algoritmos son obsoletas. Esto solo afecta a casos en los que solicitas explícitamente el proveedor de Bouncy Castle, como se muestra en el siguiente ejemplo:
Kotlin
Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC") // OR Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"))
Java
Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC"); // OR Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"));
Como se indicó antes, no se recomienda que solicites un proveedor específico, por lo que, si sigues esa pauta, el hecho de que este deje de estar disponible no debería afectarte.
Cifrados de encriptación basados en contraseñas sin IV
Los algortimos de cifrado de encriptación basados en contraseñas (PBE) que requieren un vector de inicialización (IV) pueden obtenerlo de la clave, si están construidos adecuadamente, o a partir de un IV que se pasa de manera explícita. Cuando se pasa una clave PBE que no contiene un IV ni un IV explícito, los algoritmos de cifrado de PBE en Android actualmente suponen un IV de cero.
Cuando uses cifrados de PBE, siempre pasa un IV explícito, como se muestra en el siguiente fragmento de código:
Kotlin
val key: SecretKey = ... val cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC") val iv = ByteArray(16) SecureRandom().nextBytes(iv) cipher.init(Cipher.ENCRYPT_MODE, key, IvParameterSpec(iv))
Java
SecretKey key = ...; Cipher cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC"); byte[] iv = new byte[16]; new SecureRandom().nextBytes(iv); cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
Proveedor de criptografía
A partir de Android 9 (nivel de API 28), se quitó el proveedor de criptografía de arquitectura de criptografía de Java (JCA). Si tu app solicita una instancia del proveedor de criptografía, por ejemplo, cuando llama al método siguiente, se produce un NoSuchProviderException
.
Kotlin
SecureRandom.getInstance("SHA1PRNG", "Crypto")
Java
SecureRandom.getInstance("SHA1PRNG", "Crypto");
Algoritmos compatibles
Estos son los identificadores de algoritmo de JCA compatibles con Android en cada nivel de API.
AlgorithmParameterGenerator
AlgorithmParameters
CertPathBuilder
CertPathValidator
CertStore
CertificateFactory
Cipher
KeyAgreement
KeyFactory
KeyGenerator
KeyManagerFactory
KeyPairGenerator
KeyStore
Mac
MessageDigest
SSLContext
SSLEngine.Supported
SSLSocket.Supported
SecretKeyFactory
SecureRandom
Signature
TrustManagerFactory
AlgorithmParameterGenerator
Algoritmo | Niveles de API compatibles |
---|---|
AES | 1-8 |
DES | 1-8 |
DESede | 1-8 |
DH | 1+ |
DSA | 1+ |
AlgorithmParameters
Algoritmo | Niveles de API compatibles |
---|---|
AES | 1+ |
BLOWFISH | 10+ |
ChaCha20 | 28+ |
DES | 1+ |
DESede | 1+ |
DH | 1+ |
DSA | 1+ |
EC | 26+ |
GCM | 22+ |
IES | 1-8 |
OAEP | 1+ |
PBEwithHmacSHA1AndAES_128 | 26+ |
PBEwithHmacSHA1AndAES_256 | 26+ |
PBEwithHmacSHA224AndAES_128 | 26+ |
PBEwithHmacSHA224AndAES_256 | 26+ |
PBEwithHmacSHA256AndAES_128 | 26+ |
PBEwithHmacSHA256AndAES_256 | 26+ |
PBEwithHmacSHA384AndAES_128 | 26+ |
PBEwithHmacSHA384AndAES_256 | 26+ |
PBEwithHmacSHA512AndAES_128 | 26+ |
PBEwithHmacSHA512AndAES_256 | 26+ |
PKCS12PBE | 1+ |
PSS | 1-8,24+ |
CertPathBuilder
Algoritmo | Niveles de API compatibles |
---|---|
PKIX | 1+ |
CertPathValidator
Algoritmo | Niveles de API compatibles |
---|---|
PKIX | 1+ |
CertStore
Algoritmo | Niveles de API compatibles |
---|---|
Collection | 1+ |
CertificateFactory
Algoritmo | Niveles de API compatibles |
---|---|
X.509 | 1+ |
Cifrado
Algoritmo | Modos | Rellenos | Niveles de API compatibles | Notas |
---|---|---|---|---|
AES | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
GCM | NoPadding | 10+ | ||
AES_128 | CBC ECB |
NoPadding PKCS5Padding |
26+ | |
GCM | NoPadding | 26+ | ||
AES_256 | CBC ECB |
NoPadding PKCS5Padding |
26+ | |
GCM | NoPadding | 26+ | ||
ARC4 | ECB | NoPadding | 10+ | |
NINGUNO | NoPadding | 28+ | ||
BLOWFISH | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
10+ | |
ChaCha20 | NINGUNO Poly1305 |
NoPadding | 28+ | ChaCha con 20 iteraciones, nonce de 96 bits y contador de 32 bits como se describe en RFC 7539. |
DES | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
DESede | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
RSA | ECB NINGUNO |
NoPadding OAEPPadding PKCS1Padding |
1+ | |
OAEPwithSHA-1andMGF1Padding OAEPwithSHA-256andMGF1Padding |
10+ | |||
OAEPwithSHA-224andMGF1Padding OAEPwithSHA-384andMGF1Padding OAEPwithSHA-512andMGF1Padding |
23+ |
KeyAgreement
Algoritmo | Niveles de API compatibles |
---|---|
DH | 1+ |
ECDH | 11+ |
KeyFactory
Algoritmo | Niveles de API compatibles |
---|---|
DH | 1+ |
DSA | 1+ |
EC | 11+ |
RSA | 1+ |
X.509 | 1-8 |
KeyGenerator
Algoritmo | Niveles de API compatibles |
---|---|
AES | 1+ |
AESWRAP | 1-8 |
ARC4 | 14+ |
BLOWFISH | 10+ |
ChaCha20 | 28+ |
DES | 1+ |
DESede | 1+ |
DESedeWRAP | 1-8 |
HmacMD5 | 1+ |
HmacSHA1 | 11+ |
HmacSHA224 | 1-8, 22+ |
HmacSHA256 | 1+ |
HmacSHA384 | 1+ |
HmacSHA512 | 1+ |
RC4 | 10-13 |
KeyManagerFactory
Algoritmo | Niveles de API compatibles |
---|---|
PKIX | 1+ |
KeyPairGenerator
Algoritmo | Niveles de API compatibles |
---|---|
DH | 1+ |
DSA | 1+ |
EC | 11+ |
RSA | 1+ |
KeyStore
Algoritmo | Niveles de API compatibles |
---|---|
AndroidCAStore | 14+ |
AndroidKeyStore | 18+ |
BCPKCS12 | 1-8 |
BKS | 1+ |
BouncyCastle | 1+ |
PKCS12 | 1+ |
PKCS12-DEF | 1-8 |
Mac
Algoritmo | Niveles de API compatibles |
---|---|
DESMAC | 1-8 |
DESMAC/CFB8 | 1-8 |
DESedeMAC | 1-8 |
DESedeMAC/CFB8 | 1-8 |
DESedeMAC64 | 1-8 |
DESwithISO9797 | 1-8 |
HmacMD5 | 1+ |
HmacSHA1 | 1+ |
HmacSHA224 | 1-8, 22+ |
HmacSHA256 | 1+ |
HmacSHA384 | 1+ |
HmacSHA512 | 1+ |
ISO9797ALG3MAC | 1-8 |
PBEwithHmacSHA | 1+ |
PBEwithHmacSHA1 | 1+ |
PBEwithHmacSHA224 | 26+ |
PBEwithHmacSHA256 | 26+ |
PBEwithHmacSHA384 | 26+ |
PBEwithHmacSHA512 | 26+ |
MessageDigest
Algoritmo | Niveles de API compatibles |
---|---|
MD5 | 1+ |
SHA-1 | 1+ |
SHA-224 | 1-8, 22+ |
SHA-256 | 1+ |
SHA-384 | 1+ |
SHA-512 | 1+ |
SSLContext
Algoritmo | Niveles de API compatibles |
---|---|
Predeterminada | 10+ |
SSL | 10+ |
SSLv3 | 10-25 |
TLS | 1+ |
TLSv1 | 10+ |
TLSv1.1 | 16+ |
TLSv1.2 | 16+ |
SSLEngine
Algoritmo | Niveles de API compatibles | Habilitados de forma predeterminada |
---|---|---|
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 9-22 | |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | 9-22 | |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_DES_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_RC4_128_MD5 | 9-22 | |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 9-22 | 9-19 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | 9+ | 9-19 |
SSL_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_WITH_NULL_MD5 | 9-22 | |
SSL_RSA_WITH_NULL_SHA | 9-22 | |
SSL_RSA_WITH_RC4_128_MD5 | 9-25 | 9-19 |
SSL_RSA_WITH_RC4_128_SHA | 9-25 | 9-23 |
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 9-22 | 9-22 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 9-22 | 20-22 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DHE_DSS_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 9-25 | 9-25 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 9-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_DSS_WITH_DES_CBC_SHA | 1-8 | |
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_RSA_WITH_DES_CBC_SHA | 1-8 | |
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DH_anon_WITH_DES_CBC_SHA | 1-8 | |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 20-25 | 20-23 |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA | 20-25 | 20-23 |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_RC4_128_SHA | 20-22 | |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_anon_WITH_RC4_128_SHA | 20-22 | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 20+ | 20+ |
TLS_FALLBACK_SCSV | 21+ | |
TLS_NULL_WITH_NULL_NULL | 1-8 | |
TLS_PSK_WITH_3DES_EDE_CBC_SHA | 21-22 | |
TLS_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_RC4_128_SHA | 21-25 | |
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_AES_128_CBC_SHA | 9+ | 9+ |
TLS_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA | 9+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_RSA_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_NULL_MD5 | 1-8 | |
TLS_RSA_WITH_NULL_SHA | 1-8 | |
TLS_RSA_WITH_NULL_SHA256 | 20-22 |
SSLSocket
Algoritmo | Niveles de API compatibles | Habilitados de forma predeterminada |
---|---|---|
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 9-22 | |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | 9-22 | |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_DES_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_RC4_128_MD5 | 9-22 | |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 9-22 | 9-19 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | 9+ | 9-19 |
SSL_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_WITH_NULL_MD5 | 9-22 | |
SSL_RSA_WITH_NULL_SHA | 9-22 | |
SSL_RSA_WITH_RC4_128_MD5 | 9-25 | 9-19 |
SSL_RSA_WITH_RC4_128_SHA | 9-25 | 9-23 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 9-22 | 9-22 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 9-22 | 11-22 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 9-25 | 9-25 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 9-25 | 11-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 20-25 | 20-25 |
TLS_DH_anon_WITH_AES_128_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 11-25 | 11-23 |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA | 11-25 | 11-23 |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_RSA_WITH_RC4_128_SHA | 11-22 | 11-19 |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_anon_WITH_RC4_128_SHA | 11-22 | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 11+ | 11+ |
TLS_FALLBACK_SCSV | 21+ | |
TLS_PSK_WITH_3DES_EDE_CBC_SHA | 21-22 | |
TLS_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_RC4_128_SHA | 21-25 | |
TLS_RSA_WITH_AES_128_CBC_SHA | 9+ | 9+ |
TLS_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA | 9+ | 11+ |
TLS_RSA_WITH_AES_256_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_RSA_WITH_NULL_SHA256 | 20-22 |
SecretKeyFactory
Algoritmo | Niveles de API compatibles |
---|---|
AES | 23+ |
DES | 1+ |
DESede | 1+ |
HmacSHA1 | 23+ |
HmacSHA224 | 23+ |
HmacSHA256 | 23+ |
HmacSHA384 | 23+ |
HmacSHA512 | 23+ |
PBEwithHmacSHA1 | 1+ |
PBEwithHmacSHA1AndAES_128 | 26+ |
PBEwithHmacSHA1AndAES_256 | 26+ |
PBEwithHmacSHA224AndAES_128 | 26+ |
PBEwithHmacSHA224AndAES_256 | 26+ |
PBEwithHmacSHA256AndAES_128 | 26+ |
PBEwithHmacSHA256AndAES_256 | 26+ |
PBEwithHmacSHA384AndAES_128 | 26+ |
PBEwithHmacSHA384AndAES_256 | 26+ |
PBEwithHmacSHA512AndAES_128 | 26+ |
PBEwithHmacSHA512AndAES_256 | 26+ |
PBEwithMD5AND128BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5AND192BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5AND256BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5ANDDES | 1+ |
PBEwithMD5ANDRC2 | 1+ |
PBEwithSHA1ANDDES | 1+ |
PBEwithSHA1ANDRC2 | 1+ |
PBEwithSHA256AND128BITAES-CBC-BC | 1+ |
PBEwithSHA256AND192BITAES-CBC-BC | 1+ |
PBEwithSHA256AND256BITAES-CBC-BC | 1+ |
PBEwithSHAAND128BITAES-CBC-BC | 1+ |
PBEwithSHAAND128BITRC2-CBC | 10+ |
PBEwithSHAAND128BITRC4 | 10+ |
PBEwithSHAAND192BITAES-CBC-BC | 1+ |
PBEwithSHAAND2-KEYTRIPLEDES-CBC | 1+ |
PBEwithSHAAND256BITAES-CBC-BC | 1+ |
PBEwithSHAAND3-KEYTRIPLEDES-CBC | 1+ |
PBEwithSHAAND40BITRC2-CBC | 1+ |
PBEwithSHAAND40BITRC4 | 10+ |
PBEwithSHAANDTWOFISH-CBC | 10+ |
PBKDF2withHmacSHA1 | 10+ |
PBKDF2withHmacSHA1And8BIT | 19+ |
PBKDF2withHmacSHA224 | 26+ |
PBKDF2withHmacSHA256 | 26+ |
PBKDF2withHmacSHA384 | 26+ |
PBKDF2withHmacSHA512 | 26+ |
SecureRandom
Algoritmo | Niveles de API compatibles |
---|---|
SHA1PRNG | 1+ |
Firma
Algoritmo | Niveles de API compatibles |
---|---|
DSA | 1+ |
DSAwithSHA1 | 1+ |
DSS | 1-19 |
ECDSA | 11+ |
ECDSAwithSHA1 | 11+ |
MD2withRSA | 1-3 |
MD4withRSA | 1-8 |
MD5withRSA | 1+ |
MD5withRSA/ISO9796-2 | 1-8 |
NONEwithDSA | 1+ |
NONEwithECDSA | 11+ |
NONEwithRSA | 17+ |
RSASSA-PSS | 1-8 |
SHA1withDSA | 1+ |
SHA1withECDSA | 11+ |
SHA1withRSA | 1+ |
SHA1withRSA/ISO9796-2 | 1-8 |
SHA1withRSA/PSS | 23+ |
SHA224withDSA | 20+ |
SHA224withECDSA | 20+ |
SHA224withRSA | 20+ |
SHA224withRSA/PSS | 23+ |
SHA256withDSA | 1+ |
SHA256withECDSA | 11+ |
SHA256withRSA | 1+ |
SHA256withRSA/PSS | 23+ |
SHA384withECDSA | 11+ |
SHA384withRSA | 1+ |
SHA384withRSA/PSS | 23+ |
SHA512withECDSA | 11+ |
SHA512withRSA | 1+ |
SHA512withRSA/PSS | 23+ |
TrustManagerFactory
Algoritmo | Niveles de API compatibles |
---|---|
PKIX | 1+ |