Kriptografi

Dokumen ini menjelaskan cara yang tepat untuk menggunakan fasilitas kriptografi Android dan menyertakan beberapa contoh penggunaannya. Jika aplikasi Anda membutuhkan keamanan kunci yang lebih ketat, gunakan sistem Keystore Android.

Menetapkan penyedia hanya dengan sistem Keystore Android

Jika menggunakan sistem Keystore Android, Anda harus menetapkan satu penyedia.

Namun, dalam situasi lain, Android tidak menjamin penyedia khusus untuk algoritme tertentu. Menetapkan penyedia tanpa menggunakan sistem Keystore Android dapat menyebabkan masalah kompatibilitas pada rilis mendatang.

Memilih algoritme yang direkomendasikan

Jika Anda boleh memilih algoritme apa pun yang akan digunakan (misalnya jika Anda tidak memerlukan kompatibilitas dengan sistem pihak ketiga), sebaiknya gunakan algoritme berikut:

Class Rekomendasi
Cipher AES dalam mode CBC atau GCM dengan kunci 256-bit (seperti AES/GCM/NoPadding)
MessageDigest Rangkaian SHA-2 (misalnya, SHA-256)
Mac HMAC rangkaian SHA-2 (misalnya, HMACSHA256)
Tanda Tangan Rangkaian SHA-2 dengan ECDSA (misalnya, SHA256withECDSA)

Melakukan operasi kriptografi umum

Bagian berikut menyertakan cuplikan yang menunjukkan bagaimana Anda dapat melakukan operasi kriptografi umum dalam aplikasi.

Membaca file

Kotlin

// Although you can define your own key generation parameter specification, it's
// recommended that you use the value specified here.
val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC
val mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec)

val fileToRead = "my_sensitive_data.txt"
val encryptedFile = EncryptedFile.Builder(
    File(DIRECTORY, fileToRead),
    applicationContext,
    mainKeyAlias,
    EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build()

val inputStream = encryptedFile.openFileInput()
val byteArrayOutputStream = ByteArrayOutputStream()
var nextByte: Int = inputStream.read()
while (nextByte != -1) {
    byteArrayOutputStream.write(nextByte)
    nextByte = inputStream.read()
}

val plaintext: ByteArray = byteArrayOutputStream.toByteArray()

Java

Context context = getApplicationContext();

// Although you can define your own key generation parameter specification, it's
// recommended that you use the value specified here.
KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC;
String mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec);

String fileToRead = "my_sensitive_data.txt";
EncryptedFile encryptedFile = new EncryptedFile.Builder(
        new File(DIRECTORY, fileToRead),
        context,
        mainKeyAlias,
        EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build();

InputStream inputStream = encryptedFile.openFileInput();
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
int nextByte = inputStream.read();
while (nextByte != -1) {
    byteArrayOutputStream.write(nextByte);
    nextByte = inputStream.read();
}

byte[] plaintext = byteArrayOutputStream.toByteArray();

Menulis file

Kotlin

// Although you can define your own key generation parameter specification, it's
// recommended that you use the value specified here.
val keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC
val mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec)

// Create a file with this name, or replace an entire existing file
// that has the same name. Note that you cannot append to an existing file,
// and the file name cannot contain path separators.
val fileToWrite = "my_sensitive_data.txt"
val encryptedFile = EncryptedFile.Builder(
    File(DIRECTORY, fileToWrite),
    applicationContext,
    mainKeyAlias,
    EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build()

val fileContent = "MY SUPER-SECRET INFORMATION"
        .toByteArray(StandardCharsets.UTF_8)
encryptedFile.openFileOutput().apply {
    write(fileContent)
    flush()
    close()
}

Java

Context context = getApplicationContext();

// Although you can define your own key generation parameter specification, it's
// recommended that you use the value specified here.
KeyGenParameterSpec keyGenParameterSpec = MasterKeys.AES256_GCM_SPEC;
String mainKeyAlias = MasterKeys.getOrCreate(keyGenParameterSpec);

// Create a file with this name, or replace an entire existing file
// that has the same name. Note that you cannot append to an existing file,
// and the file name cannot contain path separators.
String fileToWrite = "my_sensitive_data.txt";
EncryptedFile encryptedFile = new EncryptedFile.Builder(
        new File(DIRECTORY, fileToWrite),
        context,
        mainKeyAlias,
        EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB
).build();

byte[] fileContent = "MY SUPER-SECRET INFORMATION"
        .getBytes(StandardCharsets.UTF_8);
OutputStream outputStream = encryptedFile.openFileOutput();
outputStream.write(fileContent);
outputStream.flush();
outputStream.close();

Mengenkripsi pesan

Kotlin

val plaintext: ByteArray = ...
val keygen = KeyGenerator.getInstance("AES")
keygen.init(256)
val key: SecretKey = keygen.generateKey()
val cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING")
cipher.init(Cipher.ENCRYPT_MODE, key)
val ciphertext: ByteArray = cipher.doFinal(plaintext)
val iv: ByteArray = cipher.iv

Java

byte[] plaintext = ...;
KeyGenerator keygen = KeyGenerator.getInstance("AES");
keygen.init(256);
SecretKey key = keygen.generateKey();
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] ciphertext = cipher.doFinal(plaintext);
byte[] iv = cipher.getIV();

Membuat ringkasan pesan

Kotlin

val message: ByteArray = ...
val md = MessageDigest.getInstance("SHA-256")
val digest: ByteArray = md.digest(message)

Java

byte[] message = ...;
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] digest = md.digest(message);

Membuat tanda tangan digital

Anda harus memiliki objek PrivateKey yang berisi kunci penandatanganan, yang dapat dibuat pada runtime, dibaca dari file yang dipaketkan dengan aplikasi Anda, atau didapatkan dari beberapa sumber lain menurut kebutuhan Anda.

Kotlin

val message: ByteArray = ...
val key: PrivateKey = ...
val s = Signature.getInstance("SHA256withECDSA")
        .apply {
            initSign(key)
            update(message)
        }
val signature: ByteArray = s.sign()

Java

byte[] message = ...;
PrivateKey key = ...;
Signature s = Signature.getInstance("SHA256withECDSA");
s.initSign(key);
s.update(message);
byte[] signature = s.sign();

Memverifikasi tanda tangan digital

Anda harus memiliki objek PublicKey yang berisi kunci publik penanda tangan, yang dapat dibaca dari file yang dipaketkan dengan aplikasi Anda, diekstrak dari sertifikat, atau diperoleh dari beberapa sumber lain menurut kebutuhan Anda.

Kotlin

val message: ByteArray = ...
val signature: ByteArray = ...
val key: PublicKey = ...
val s = Signature.getInstance("SHA256withECDSA")
        .apply {
            initVerify(key)
            update(message)
        }
val valid: Boolean = s.verify(signature)

Java

byte[] message = ...;
byte[] signature = ...;
PublicKey key = ...;
Signature s = Signature.getInstance("SHA256withECDSA");
s.initVerify(key);
s.update(message);
boolean valid = s.verify(signature);

Kompleksitas penerapan

Terdapat beberapa detail penerapan kriptografi Android yang tampak tidak biasa namun tetap disediakan karena pertimbangan kompatibilitas. Bagian ini membahas beberapa detail yang kemungkinan besar akan Anda jumpai.

Ringkasan pesan MGF1 OAEP

Cipher OAEP RSA dibuat menjadi parameter oleh dua ringkasan pesan yang berbeda: ringkasan “utama” dan ringkasan MGF1. Terdapat ID Cipher yang menyertakan nama ringkasan, seperti Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding"), yang menetapkan ringkasan utama dan membiarkan ringkasan MGF1 tidak ditetapkan. Untuk Keystore Android, SHA-1 digunakan untuk ringkasan MGF1, sedangkan untuk penyedia kriptografi Android lainnya, kedua ringkasan tersebut sama.

Untuk kontrol yang lebih menyeluruh atas ringkasan yang digunakan oleh aplikasi, Anda harus meminta cipher dengan OAEPPadding, seperti dalam Cipher.getInstance("RSA/ECB/OAEPPadding"), dan memberikan OAEPParameterSpec ke init() untuk memilih kedua ringkasan secara eksplisit.

Kotlin

val key: Key = ...
val cipher = Cipher.getInstance("RSA/ECB/OAEPPadding")
        .apply {
            // To use SHA-256 the main digest and SHA-1 as the MGF1 digest
            init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT))
            // To use SHA-256 for both digests
            init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT))
        }

Java

Key key = ...;
Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding");
// To use SHA-256 the main digest and SHA-1 as the MGF1 digest
cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
// To use SHA-256 for both digests
cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT));

Fungsionalitas yang tidak lagi digunakan

Bagian berikut menjelaskan fungsionalitas lama yang tidak boleh Anda gunakan lagi dalam aplikasi.

Algoritme Bouncy Castle

Penerapan Bouncy Castle untuk banyak algoritme kini sudah tidak digunakan lagi. Penerapan ini hanya efektif pada situasi ketika Anda meminta penyedia Bouncy Castle secara eksplisit, seperti dalam contoh berikut:

Kotlin

Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC")
// OR
Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"))

Java

Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC");
// OR
Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"));

Seperti yang sudah disebutkan di atas, Anda tidak disarankan untuk meminta penyedia spesifik; jadi, jika mengikuti pedoman tersebut, penghentian ini tidak akan memengaruhi Anda.

Cipher enkripsi berbasis sandi tanpa IV

Cipher enkripsi berbasis sandi (PBE) yang memerlukan vektor inisialisasi (IV) dapat memperolehnya dari kunci tersebut, jika disusun secara tepat, atau dari IV yang diteruskan secara eksplisit. Saat meneruskan kunci PBE yang tidak berisi IV dan tidak ada IV eksplisit, cipher PBE pada Android saat ini mengasumsikan IV dengan nilai nol.

Saat menggunakan cipher PBE, selalu teruskan IV eksplisit seperti dalam cuplikan kode berikut:

Kotlin

val key: SecretKey = ...
val cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC")
val iv = ByteArray(16)
SecureRandom().nextBytes(iv)
cipher.init(Cipher.ENCRYPT_MODE, key, IvParameterSpec(iv))

Java

SecretKey key = ...;
Cipher cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC");
byte[] iv = new byte[16];
new SecureRandom().nextBytes(iv);
cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));

Penyedia kripto

Mulai dari Android 9 (API level 28), penyedia Java Cryptography Architecture (JCA) Kripto telah dihapus. Jika aplikasi Anda meminta instance penyedia Kripto tersebut, misalnya dengan memanggil metode berikut, NoSuchProviderException akan terjadi.

Kotlin

SecureRandom.getInstance("SHA1PRNG", "Crypto")

Java

SecureRandom.getInstance("SHA1PRNG", "Crypto");

Algoritme yang didukung

Ini adalah ID algoritme JCA yang didukung di Android pada setiap level API.

AlgorithmParameterGenerator

Algoritme Level API yang Didukung
AES 1-8
DES 1-8
DESede 1-8
DH 1+
DSA 1+

AlgorithmParameters

Algoritme Level API yang Didukung
AES 1+
BLOWFISH 10+
ChaCha20 28+
DES 1+
DESede 1+
DH 1+
DSA 1+
EC 26+
GCM 22+
IES 1-8
OAEP 1+
PBEwithHmacSHA1AndAES_128 26+
PBEwithHmacSHA1AndAES_256 26+
PBEwithHmacSHA224AndAES_128 26+
PBEwithHmacSHA224AndAES_256 26+
PBEwithHmacSHA256AndAES_128 26+
PBEwithHmacSHA256AndAES_256 26+
PBEwithHmacSHA384AndAES_128 26+
PBEwithHmacSHA384AndAES_256 26+
PBEwithHmacSHA512AndAES_128 26+
PBEwithHmacSHA512AndAES_256 26+
PKCS12PBE 1+
PSS 1-8,24+

CertPathBuilder

Algoritme Level API yang Didukung
PKIX 1+

CertPathValidator

Algoritme Level API yang Didukung
PKIX 1+

CertStore

Algoritme Level API yang Didukung
Collection 1+

CertificateFactory

Algoritme Level API yang Didukung
X.509 1+

Cipher

Algoritme Mode Padding Level API yang Didukung Catatan
AES CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
GCM NoPadding 10+
AES_128 CBC
ECB
NoPadding
PKCS5Padding
26+
GCM NoPadding 26+
AES_256 CBC
ECB
NoPadding
PKCS5Padding
26+
GCM NoPadding 26+
ARC4 ECB NoPadding 10+
TIDAK ADA NoPadding 28+
BLOWFISH CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
10+
ChaCha20 TIDAK ADA
Poly1305
NoPadding 28+ ChaCha dengan 20 round, nonce 96-bit, dan penghitung 32-bit seperti yang dijelaskan dalam RFC 7539.
DES CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
DESede CBC
CFB
CTR
CTS
ECB
OFB
ISO10126Padding
NoPadding
PKCS5Padding
1+
RSA ECB
TIDAK ADA
NoPadding
OAEPPadding
PKCS1Padding
1+
OAEPwithSHA-1andMGF1Padding
OAEPwithSHA-256andMGF1Padding
10+
OAEPwithSHA-224andMGF1Padding
OAEPwithSHA-384andMGF1Padding
OAEPwithSHA-512andMGF1Padding
23+

KeyAgreement

Algoritme Level API yang Didukung
DH 1+
ECDH 11+

KeyFactory

Algoritme Level API yang Didukung
DH 1+
DSA 1+
EC 11+
RSA 1+
X.509 1-8

KeyGenerator

Algoritme Level API yang Didukung
AES 1+
AESWRAP 1-8
ARC4 14+
BLOWFISH 10+
ChaCha20 28+
DES 1+
DESede 1+
DESedeWRAP 1-8
HmacMD5 1+
HmacSHA1 11+
HmacSHA224 1-8, 22+
HmacSHA256 1+
HmacSHA384 1+
HmacSHA512 1+
RC4 10-13

KeyManagerFactory

Algoritme Level API yang Didukung
PKIX 1+

KeyPairGenerator

Algoritme Level API yang Didukung
DH 1+
DSA 1+
EC 11+
RSA 1+

KeyStore

Algoritme Level API yang Didukung
AndroidCAStore 14+
AndroidKeyStore 18+
BCPKCS12 1-8
BKS 1+
BouncyCastle 1+
PKCS12 1+
PKCS12-DEF 1-8

Mac

Algoritme Level API yang Didukung
DESMAC 1-8
DESMAC/CFB8 1-8
DESedeMAC 1-8
DESedeMAC/CFB8 1-8
DESedeMAC64 1-8
DESwithISO9797 1-8
HmacMD5 1+
HmacSHA1 1+
HmacSHA224 1-8, 22+
HmacSHA256 1+
HmacSHA384 1+
HmacSHA512 1+
ISO9797ALG3MAC 1-8
PBEwithHmacSHA 1+
PBEwithHmacSHA1 1+
PBEwithHmacSHA224 26+
PBEwithHmacSHA256 26+
PBEwithHmacSHA384 26+
PBEwithHmacSHA512 26+

MessageDigest

Algoritme Level API yang Didukung
MD5 1+
SHA-1 1+
SHA-224 1-8, 22+
SHA-256 1+
SHA-384 1+
SHA-512 1+

SSLContext

Algoritme Level API yang Didukung
Default 10+
SSL 10+
SSLv3 10-25
TLS 1+
TLSv1 10+
TLSv1.1 16+
TLSv1.2 16+

SSLEngine

Algoritme Level API yang Didukung Diaktifkan Secara Default
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_DES_CBC_SHA 9-22 9-19
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 9-22
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 9-22
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 9-22
SSL_DH_anon_WITH_DES_CBC_SHA 9-22
SSL_DH_anon_WITH_RC4_128_MD5 9-22
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_RSA_EXPORT_WITH_RC4_40_MD5 9-22 9-19
SSL_RSA_WITH_3DES_EDE_CBC_SHA 9+ 9-19
SSL_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_RSA_WITH_NULL_MD5 9-22
SSL_RSA_WITH_NULL_SHA 9-22
SSL_RSA_WITH_RC4_128_MD5 9-25 9-19
SSL_RSA_WITH_RC4_128_SHA 9-25 9-23
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 1-8 1-8
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 1-8 1-8
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 9-22 9-22
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 9-22 20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 20-22
TLS_DHE_DSS_WITH_DES_CBC_SHA 1-8 1-8
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 1-8 1-8
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 1-8 1-8
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 9-25 9-25
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 20-25 20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 9-25 20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 20-25 20-25
TLS_DHE_RSA_WITH_DES_CBC_SHA 1-8 1-8
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA 1-8
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA 1-8
TLS_DH_DSS_WITH_DES_CBC_SHA 1-8
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA 1-8
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA 1-8
TLS_DH_RSA_WITH_DES_CBC_SHA 1-8
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA 1-8
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA 1-8
TLS_DH_anon_WITH_AES_128_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_128_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_128_GCM_SHA256 20-22
TLS_DH_anon_WITH_AES_256_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_256_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_256_GCM_SHA384 20-22
TLS_DH_anon_WITH_DES_CBC_SHA 1-8
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 20+
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 20+
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_ECDSA_WITH_NULL_SHA 20-22
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 20-25 20-23
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 20+ 20+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 20+
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 20+ 20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 20+
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_NULL_SHA 20-22
TLS_ECDHE_RSA_WITH_RC4_128_SHA 20-25 20-23
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 20-22
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_ECDSA_WITH_NULL_SHA 20-22
TLS_ECDH_ECDSA_WITH_RC4_128_SHA 20-22
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 20-22
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_RSA_WITH_NULL_SHA 20-22
TLS_ECDH_RSA_WITH_RC4_128_SHA 20-22
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 20-22
TLS_ECDH_anon_WITH_AES_128_CBC_SHA 20-22
TLS_ECDH_anon_WITH_AES_256_CBC_SHA 20-22
TLS_ECDH_anon_WITH_NULL_SHA 20-22
TLS_ECDH_anon_WITH_RC4_128_SHA 20-22
TLS_EMPTY_RENEGOTIATION_INFO_SCSV 20+ 20+
TLS_FALLBACK_SCSV 21+
TLS_NULL_WITH_NULL_NULL 1-8
TLS_PSK_WITH_3DES_EDE_CBC_SHA 21-22
TLS_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_PSK_WITH_RC4_128_SHA 21-25
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 1-8 1-8
TLS_RSA_WITH_3DES_EDE_CBC_SHA 1-8 1-8
TLS_RSA_WITH_AES_128_CBC_SHA 9+ 9+
TLS_RSA_WITH_AES_128_CBC_SHA256 20+
TLS_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_RSA_WITH_AES_256_CBC_SHA 9+ 20+
TLS_RSA_WITH_AES_256_CBC_SHA256 20+
TLS_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_RSA_WITH_DES_CBC_SHA 1-8 1-8
TLS_RSA_WITH_NULL_MD5 1-8
TLS_RSA_WITH_NULL_SHA 1-8
TLS_RSA_WITH_NULL_SHA256 20-22

SSLSocket

Algoritme Level API yang Didukung Diaktifkan Secara Default
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_DSS_WITH_DES_CBC_SHA 9-22 9-19
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 9-22 9-19
SSL_DHE_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 9-22
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 9-22
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 9-22
SSL_DH_anon_WITH_DES_CBC_SHA 9-22
SSL_DH_anon_WITH_RC4_128_MD5 9-22
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 9-22 9-19
SSL_RSA_EXPORT_WITH_RC4_40_MD5 9-22 9-19
SSL_RSA_WITH_3DES_EDE_CBC_SHA 9+ 9-19
SSL_RSA_WITH_DES_CBC_SHA 9-22 9-19
SSL_RSA_WITH_NULL_MD5 9-22
SSL_RSA_WITH_NULL_SHA 9-22
SSL_RSA_WITH_RC4_128_MD5 9-25 9-19
SSL_RSA_WITH_RC4_128_SHA 9-25 9-23
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 9-22 9-22
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 9-22 11-22
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 20-22
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 20-22
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 9-25 9-25
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 20-25 20-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 9-25 11-25
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 20-25
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 20-25 20-25
TLS_DH_anon_WITH_AES_128_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_128_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_128_GCM_SHA256 20-22
TLS_DH_anon_WITH_AES_256_CBC_SHA 9-22
TLS_DH_anon_WITH_AES_256_CBC_SHA256 20-22
TLS_DH_anon_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 11+ 11+
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 20+
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 11+ 11+
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 20+
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_ECDSA_WITH_NULL_SHA 11-22
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 11-25 11-23
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 11+ 11+
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 20+
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 11+ 11+
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 20+
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 24+ 24+
TLS_ECDHE_RSA_WITH_NULL_SHA 11-22
TLS_ECDHE_RSA_WITH_RC4_128_SHA 11-25 11-23
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 11-22 11-19
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_ECDSA_WITH_NULL_SHA 11-22
TLS_ECDH_ECDSA_WITH_RC4_128_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 20-22
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 11-22 11-19
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 20-22
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 20-22
TLS_ECDH_RSA_WITH_NULL_SHA 11-22
TLS_ECDH_RSA_WITH_RC4_128_SHA 11-22 11-19
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 11-22
TLS_ECDH_anon_WITH_AES_128_CBC_SHA 11-22
TLS_ECDH_anon_WITH_AES_256_CBC_SHA 11-22
TLS_ECDH_anon_WITH_NULL_SHA 11-22
TLS_ECDH_anon_WITH_RC4_128_SHA 11-22
TLS_EMPTY_RENEGOTIATION_INFO_SCSV 11+ 11+
TLS_FALLBACK_SCSV 21+
TLS_PSK_WITH_3DES_EDE_CBC_SHA 21-22
TLS_PSK_WITH_AES_128_CBC_SHA 21+ 21+
TLS_PSK_WITH_AES_256_CBC_SHA 21+ 21+
TLS_PSK_WITH_RC4_128_SHA 21-25
TLS_RSA_WITH_AES_128_CBC_SHA 9+ 9+
TLS_RSA_WITH_AES_128_CBC_SHA256 20+
TLS_RSA_WITH_AES_128_GCM_SHA256 20+ 20+
TLS_RSA_WITH_AES_256_CBC_SHA 9+ 11+
TLS_RSA_WITH_AES_256_CBC_SHA256 20+
TLS_RSA_WITH_AES_256_GCM_SHA384 20+ 20+
TLS_RSA_WITH_NULL_SHA256 20-22

SecretKeyFactory

Algoritme Level API yang Didukung
AES 23+
DES 1+
DESede 1+
HmacSHA1 23+
HmacSHA224 23+
HmacSHA256 23+
HmacSHA384 23+
HmacSHA512 23+
PBEwithHmacSHA1 1+
PBEwithHmacSHA1AndAES_128 26+
PBEwithHmacSHA1AndAES_256 26+
PBEwithHmacSHA224AndAES_128 26+
PBEwithHmacSHA224AndAES_256 26+
PBEwithHmacSHA256AndAES_128 26+
PBEwithHmacSHA256AndAES_256 26+
PBEwithHmacSHA384AndAES_128 26+
PBEwithHmacSHA384AndAES_256 26+
PBEwithHmacSHA512AndAES_128 26+
PBEwithHmacSHA512AndAES_256 26+
PBEwithMD5AND128BITAES-CBC-OPENSSL 1+
PBEwithMD5AND192BITAES-CBC-OPENSSL 1+
PBEwithMD5AND256BITAES-CBC-OPENSSL 1+
PBEwithMD5ANDDES 1+
PBEwithMD5ANDRC2 1+
PBEwithSHA1ANDDES 1+
PBEwithSHA1ANDRC2 1+
PBEwithSHA256AND128BITAES-CBC-BC 1+
PBEwithSHA256AND192BITAES-CBC-BC 1+
PBEwithSHA256AND256BITAES-CBC-BC 1+
PBEwithSHAAND128BITAES-CBC-BC 1+
PBEwithSHAAND128BITRC2-CBC 10+
PBEwithSHAAND128BITRC4 10+
PBEwithSHAAND192BITAES-CBC-BC 1+
PBEwithSHAAND2-KEYTRIPLEDES-CBC 1+
PBEwithSHAAND256BITAES-CBC-BC 1+
PBEwithSHAAND3-KEYTRIPLEDES-CBC 1+
PBEwithSHAAND40BITRC2-CBC 1+
PBEwithSHAAND40BITRC4 10+
PBEwithSHAANDTWOFISH-CBC 10+
PBKDF2withHmacSHA1 10+
PBKDF2withHmacSHA1And8BIT 19+
PBKDF2withHmacSHA224 26+
PBKDF2withHmacSHA256 26+
PBKDF2withHmacSHA384 26+
PBKDF2withHmacSHA512 26+

SecureRandom

Algoritme Level API yang Didukung
SHA1PRNG 1+

Tanda Tangan

Algoritme Level API yang Didukung
DSA 1+
DSAwithSHA1 1+
DSS 1-19
ECDSA 11+
ECDSAwithSHA1 11+
MD2withRSA 1-3
MD4withRSA 1-8
MD5withRSA 1+
MD5withRSA/ISO9796-2 1-8
NONEwithDSA 1+
NONEwithECDSA 11+
NONEwithRSA 17+
RSASSA-PSS 1-8
SHA1withDSA 1+
SHA1withECDSA 11+
SHA1withRSA 1+
SHA1withRSA/ISO9796-2 1-8
SHA1withRSA/PSS 23+
SHA224withDSA 20+
SHA224withECDSA 20+
SHA224withRSA 20+
SHA224withRSA/PSS 23+
SHA256withDSA 1+
SHA256withECDSA 11+
SHA256withRSA 1+
SHA256withRSA/PSS 23+
SHA384withECDSA 11+
SHA384withRSA 1+
SHA384withRSA/PSS 23+
SHA512withECDSA 11+
SHA512withRSA 1+
SHA512withRSA/PSS 23+

TrustManagerFactory

Algoritme Level API yang Didukung
PKIX 1+