47

I am getting a Cipher implementation with Cipher.getInstance(String algorithm). I am under the impression that the available algorithm names that I may pass differ based on what libraries which are present in my classpath.

I would like to write a simple program that I can run with different classpaths that will list the available Cipher algorithm names. What method would I need to call to get this list?

Venki
  • 1,419
  • 5
  • 28
  • 38
skiphoppy
  • 97,646
  • 72
  • 174
  • 218

5 Answers5

37

Once I have a list of providers, as described in JB Nizet's post, I still don't have a list of algorithms. I found that each Provider functions as a Properties object, and the Properties encode the algorithm names. I'm not entirely clear on if this is the correct way to look for them or not, and what exactly all the other properties mean, but I just wrote a routine that spewed all properties to System.out and grepped for various strings describing what I was looking for until I found it.

import java.security.*;

for (Provider provider: Security.getProviders()) {
  System.out.println(provider.getName());
  for (String key: provider.stringPropertyNames())
    System.out.println("\t" + key + "\t" + provider.getProperty(key));
}
skiphoppy
  • 97,646
  • 72
  • 174
  • 218
  • 2
    Yup, I use the same method but with regular expressions to hunt for algorithms in several providers. Most of the time it's better to look at the list because the documentation might be outdated (or, in many cases, null). Tricky thing is to know what the algorithms actually are of course, as no explanation is provided anywhere. Note that there are many "aliases" which you might want to remove from the list if you are just checking if an algorithm has been implemented. – Maarten Bodewes Feb 18 '12 at 01:37
30

To get a list of available cipher transformation names, use this code snippet:

Set<String> algs = new TreeSet<>();
for (Provider provider : Security.getProviders()) {
    provider.getServices().stream()
                          .filter(s -> "Cipher".equals(s.getType()))
                          .map(Service::getAlgorithm)
                          .forEach(algs::add);
}
algs.forEach(System.out::println);

Those names are compatible to be called via Cipher.getInstance(). If an entry is missing the feedback mode or padding scheme, the JVM will fallback to the corresponding default.

AES
AESWrap
AESWrap_128
AESWrap_192
AESWrap_256
AES_128/CBC/NoPadding
AES_128/CFB/NoPadding
AES_128/ECB/NoPadding
AES_128/GCM/NoPadding
AES_128/OFB/NoPadding
AES_192/CBC/NoPadding
AES_192/CFB/NoPadding
AES_192/ECB/NoPadding
AES_192/GCM/NoPadding
AES_192/OFB/NoPadding
AES_256/CBC/NoPadding
AES_256/CFB/NoPadding
AES_256/ECB/NoPadding
AES_256/GCM/NoPadding
AES_256/OFB/NoPadding
ARCFOUR
Blowfish
ChaCha20
ChaCha20-Poly1305
DES
DESede
DESedeWrap
PBEWithHmacSHA1AndAES_128
PBEWithHmacSHA1AndAES_256
PBEWithHmacSHA224AndAES_128
PBEWithHmacSHA224AndAES_256
PBEWithHmacSHA256AndAES_128
PBEWithHmacSHA256AndAES_256
PBEWithHmacSHA384AndAES_128
PBEWithHmacSHA384AndAES_256
PBEWithHmacSHA512AndAES_128
PBEWithHmacSHA512AndAES_256
PBEWithMD5AndDES
PBEWithMD5AndTripleDES
PBEWithSHA1AndDESede
PBEWithSHA1AndRC2_128
PBEWithSHA1AndRC2_40
PBEWithSHA1AndRC4_128
PBEWithSHA1AndRC4_40
RC2
RSA
RSA/ECB/PKCS1Padding

see also JDK doc cipher algorithm names

To get a list of available TLS cipher suites, use this one-liner:

$ jrunscript -e "java.util.Arrays.asList(javax.net.ssl.SSLServerSocketFactory.getDefault().getSupportedCipherSuites()).stream().forEach(println)"

Which outputs for JDK11:

TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
teobais
  • 2,820
  • 1
  • 24
  • 36
Rod Rob
  • 1,026
  • 11
  • 9
  • are you sure this are accepted algorithms for `Cipher.getInstance(String algorithm)` as asked in question? I got almost same result but if I use any of the printed names, I get `java.security.NoSuchAlgorithmException: Cannot find any provider supporting TLS_AES_128_GCM_SHA256` - maybe use something like `jrunscript -e println(java.security.Security.getAlgorithms(\"Cipher\"))` – user85421 Aug 13 '19 at 08:12
  • @CarlosHeuberger You're right. I mixed up the terms _Cipher_ and _Cipher Suites_. The command above lists all _Cipher Suites_, that can be used by a particular TLS version. But the author asked for _Ciphers_ that implements a specific transformation. A transformation consists of a name, mode and padding. For example you can get an AES GCM cipher with `Cipher.getInstance("AES/GCM/NoPadding")` – Rod Rob Aug 13 '19 at 12:32
  • Ha, ironically, dynamically puling cipher suites is what I've been looking for, to keep track of what's been added/removed in subsequent Java updates that aren't separately documented. – galaxis Sep 08 '21 at 14:35
23

The doc of Cipher.getInstance() says:

Note that the list of registered providers may be retrieved via the Security.getProviders() method

Clicking on the link leads to the doc of Provider, which has a method getServices() documented by :

Get an unmodifiable Set of all services supported by this Provider.

And clicking on the link leads to the doc of Provider which has a getAlgorithm() method.

Note that this is a very empirical method. A more logical method would be to read the documentation of the crypto libraries you're using. It must contain the list of supported algorithms.

Whatever the method you choose, reading the documentation helps a lot.

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255
  • Thank you. I completely overlooked the comment about Security.getProviders() when I read the documentation, and I was rather mystified why it appeared nothing was in there. – skiphoppy Feb 17 '12 at 19:25
5

Seems like this is what you really need:

https://docs.oracle.com/javase/7/docs/api/java/security/Security.html#getAlgorithms(java.lang.String)

Returns a Set of Strings containing the names of all available algorithms or types for the specified Java cryptographic service (e.g., Signature, MessageDigest, Cipher, Mac, KeyStore).

mvmn
  • 3,717
  • 27
  • 30
2

Here's my version based on the intructions from Atlassian:

  • To include a cipher suite or protocol you require that is not enabled by default.

  • To exclude a cipher suite or protocol that is considered too weak to use, or for which a vulnerability has been discovered.

    import java.util.Map;
import java.util.TreeMap;

import javax.net.ssl.SSLServerSocketFactory;

public class Ciphers {

public static void main(String[] args) {
    SSLServerSocketFactory ssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();

    String[] defaultCiphers = ssf.getDefaultCipherSuites();
    String[] availableCiphers = ssf.getSupportedCipherSuites();

    Map<String, Boolean> ciphers = new TreeMap<>();

    for (String availableCipher : availableCiphers) {
        ciphers.put(availableCipher, Boolean.FALSE);
    }

    for (String defaultCipher : defaultCiphers) {
        ciphers.put(defaultCipher, Boolean.TRUE);
    }

    System.out.println("Default\tCipher");
    for (Map.Entry<String, Boolean> cipher : ciphers.entrySet()) {
        if (Boolean.TRUE.equals(cipher.getValue())) {
            System.out.print('*');
        } else {
            System.out.print(' ');
        }

        System.out.print('\t');
        System.out.println(cipher.getKey());
    }
}
}

Output:

Default Cipher

  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
gmode
  • 3,601
  • 4
  • 31
  • 39
  • not an algorithm, tried some results with `Cipher.getInstance(String algorithm)`, as requested by question - results in `NoSuchAlgorithmException` (cipher suite != algorithm?) – user85421 Aug 13 '19 at 08:10
  • In Cipher.getInstance(String algorithm), algorithm is the name of a transformation not and not the name of a cipher algorithm. So getting a NoSuchAlgorithmException is correct. What you need to find is the set of supported transformations. – Tom Rutchik Oct 02 '20 at 17:17