This document describes the proper way to use Android's cryptographic facilities and includes some examples of its use. If your app requires greater key security, use the Android Keystore system.
Specify a provider only with the Android Keystore system
If you're using the Android Keystore system, you must specify a provider.
In other situations, however, Android doesn't guarantee a particular provider for a given algorithm. Specifying a provider without using the Android Keystore system could cause compatibility problems in future releases.
Choose a recommended algorithm
When you have the freedom to choose which algorithm to use (such as when you do not require compatibility with a third-party system), we recommend using the following algorithms:
Class | Recommendation |
---|---|
Cipher | AES in either CBC or GCM mode with 256-bit keys (such as AES/GCM/NoPadding ) |
MessageDigest | SHA-2 family (eg, SHA-256 ) |
Mac | SHA-2 family HMAC (eg, HMACSHA256 ) |
Signature | SHA-2 family with ECDSA (eg, SHA256withECDSA ) |
Perform common cryptographic operations
The following sections include snippets that demonstrates how you can complete common cryptographic operations in your app.
Read a file
Kotlin
// Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. val mainKey = MasterKey.Builder(applicationContext) .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) .build() val fileToRead = "my_sensitive_data.txt" val encryptedFile = EncryptedFile.Builder( applicationContext, File(DIRECTORY, fileToRead), mainKey, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build() val inputStream = encryptedFile.openFileInput() val byteArrayOutputStream = ByteArrayOutputStream() var nextByte: Int = inputStream.read() while (nextByte != -1) { byteArrayOutputStream.write(nextByte) nextByte = inputStream.read() } val plaintext: ByteArray = byteArrayOutputStream.toByteArray()
Java
// Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. Context context = getApplicationContext(); MasterKey mainKey = new MasterKey.Builder(context) .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) .build(); String fileToRead = "my_sensitive_data.txt"; EncryptedFile encryptedFile = new EncryptedFile.Builder(context, new File(DIRECTORY, fileToRead), mainKey, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build(); InputStream inputStream = encryptedFile.openFileInput(); ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); int nextByte = inputStream.read(); while (nextByte != -1) { byteArrayOutputStream.write(nextByte); nextByte = inputStream.read(); } byte[] plaintext = byteArrayOutputStream.toByteArray();
Write a file
Kotlin
// Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. val mainKey = MasterKey.Builder(applicationContext) .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) .build() // Creates a file with this name, or replaces an existing file // that has the same name. Note that the file name cannot contain // path separators. val fileToWrite = "my_sensitive_data.txt" val encryptedFile = EncryptedFile.Builder( applicationContext, File(DIRECTORY, fileToWrite), mainKey, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build() val fileContent = "MY SUPER-SECRET INFORMATION" .toByteArray(StandardCharsets.UTF_8) encryptedFile.openFileOutput().apply { write(fileContent) flush() close() }
Java
// Although you can define your own key generation parameter specification, it's // recommended that you use the value specified here. Context context = getApplicationContext(); MasterKey mainKey = new MasterKey.Builder(context) .setKeyScheme(MasterKey.KeyScheme.AES256_GCM) .build(); // Creates a file with this name, or replaces an existing file // that has the same name. Note that the file name cannot contain // path separators. String fileToWrite = "my_sensitive_data.txt"; EncryptedFile encryptedFile = new EncryptedFile.Builder(context, new File(DIRECTORY, fileToWrite), mainKey, EncryptedFile.FileEncryptionScheme.AES256_GCM_HKDF_4KB ).build(); byte[] fileContent = "MY SUPER-SECRET INFORMATION" .getBytes(StandardCharsets.UTF_8); OutputStream outputStream = encryptedFile.openFileOutput(); outputStream.write(fileContent); outputStream.flush(); outputStream.close();
Encrypt a message
Kotlin
val plaintext: ByteArray = ... val keygen = KeyGenerator.getInstance("AES") keygen.init(256) val key: SecretKey = keygen.generateKey() val cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING") cipher.init(Cipher.ENCRYPT_MODE, key) val ciphertext: ByteArray = cipher.doFinal(plaintext) val iv: ByteArray = cipher.iv
Java
byte[] plaintext = ...; KeyGenerator keygen = KeyGenerator.getInstance("AES"); keygen.init(256); SecretKey key = keygen.generateKey(); Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] ciphertext = cipher.doFinal(plaintext); byte[] iv = cipher.getIV();
Generate a message digest
Kotlin
val message: ByteArray = ... val md = MessageDigest.getInstance("SHA-256") val digest: ByteArray = md.digest(message)
Java
byte[] message = ...; MessageDigest md = MessageDigest.getInstance("SHA-256"); byte[] digest = md.digest(message);
Generate a digital signature
You need to have a PrivateKey object containing the signing key, which you can generate at runtime, read from a file bundled with your app, or obtain from some other source depending on your needs.
Kotlin
val message: ByteArray = ... val key: PrivateKey = ... val s = Signature.getInstance("SHA256withECDSA") .apply { initSign(key) update(message) } val signature: ByteArray = s.sign()
Java
byte[] message = ...; PrivateKey key = ...; Signature s = Signature.getInstance("SHA256withECDSA"); s.initSign(key); s.update(message); byte[] signature = s.sign();
Verify a digital signature
You need to have a PublicKey object containing the signer's public key, which you might read from a file bundled with your app, extract from a certificate, or obtain from some other source depending on your needs.
Kotlin
val message: ByteArray = ... val signature: ByteArray = ... val key: PublicKey = ... val s = Signature.getInstance("SHA256withECDSA") .apply { initVerify(key) update(message) } val valid: Boolean = s.verify(signature)
Java
byte[] message = ...; byte[] signature = ...; PublicKey key = ...; Signature s = Signature.getInstance("SHA256withECDSA"); s.initVerify(key); s.update(message); boolean valid = s.verify(signature);
Implementation complexities
There are some details of the Android cryptography implementation that seem unusual but are present due to compatibility concerns. This section discusses the ones that you'll most likely encounter.
OAEP MGF1 message digest
RSA OAEP ciphers are parameterized by two different message digests: the “main”
digest and the MGF1 digest. There are Cipher identifiers that include digest
names, such as Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding")
,
which specify the main digest and leave the MGF1 digest unspecified. For Android
Keystore, SHA-1 is used for the MGF1 digest, whereas for other Android
cryptographic providers, the two digests are the same.
To have more control over the digests that your app uses, you should request a
cipher with OAEPPadding, as in Cipher.getInstance("RSA/ECB/OAEPPadding")
, and
provide an OAEPParameterSpec
to init()
to explicitly choose both digests.
Kotlin
val key: Key = ... val cipher = Cipher.getInstance("RSA/ECB/OAEPPadding") .apply { // To use SHA-256 the main digest and SHA-1 as the MGF1 digest init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT)) // To use SHA-256 for both digests init(Cipher.ENCRYPT_MODE, key, OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT)) }
Java
Key key = ...; Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding"); // To use SHA-256 the main digest and SHA-1 as the MGF1 digest cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT)); // To use SHA-256 for both digests cipher.init(Cipher.ENCRYPT_MODE, key, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, PSource.PSpecified.DEFAULT));
Deprecated functionality
The following sections describe deprecated functionality that you should no longer use in your app.
Bouncy Castle algorithms
The Bouncy Castle implementations of many algorithms are deprecated. This only affects cases where you explicitly request the Bouncy Castle provider, as shown in the following example:
Kotlin
Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC") // OR Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"))
Java
Cipher.getInstance("AES/CBC/PKCS7PADDING", "BC"); // OR Cipher.getInstance("AES/CBC/PKCS7PADDING", Security.getProvider("BC"));
As noted above, requesting a specific provider is discouraged, so if you follow that guideline, this deprecation should not affect you.
Password-based encryption ciphers without an IV
Password-based encryption (PBE) ciphers that require an initialization vector (IV) can obtain it from the key, if it's suitably constructed, or from an explicitly-passed IV. When passing a PBE key that doesn't contain an IV and no explicit IV, the PBE ciphers on Android currently assume an IV of zero.
When using PBE ciphers, always pass an explicit IV, as shown in the following code snippet:
Kotlin
val key: SecretKey = ... val cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC") val iv = ByteArray(16) SecureRandom().nextBytes(iv) cipher.init(Cipher.ENCRYPT_MODE, key, IvParameterSpec(iv))
Java
SecretKey key = ...; Cipher cipher = Cipher.getInstance("PBEWITHSHA256AND256BITAES-CBC-BC"); byte[] iv = new byte[16]; new SecureRandom().nextBytes(iv); cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(iv));
Crypto provider
As of Android 9 (API level 28), the Crypto Java Cryptography Architecture
(JCA) provider has been removed. If your app requests an instance of the
Crypto provider, such as by calling the following method, a
NoSuchProviderException
occurs.
Kotlin
SecureRandom.getInstance("SHA1PRNG", "Crypto")
Java
SecureRandom.getInstance("SHA1PRNG", "Crypto");
Supported algorithms
These are the JCA algorithm identifiers that are supported on Android at each API level.
AlgorithmParameterGenerator
AlgorithmParameters
CertPathBuilder
CertPathValidator
CertStore
CertificateFactory
Cipher
KeyAgreement
KeyFactory
KeyGenerator
KeyManagerFactory
KeyPairGenerator
KeyStore
Mac
MessageDigest
SSLContext
SSLEngine.Supported
SSLSocket.Supported
SecretKeyFactory
SecureRandom
Signature
TrustManagerFactory
AlgorithmParameterGenerator
Algorithm | Supported API Levels |
---|---|
AES | 1-8 |
DES | 1-8 |
DESede | 1-8 |
DH | 1+ |
DSA | 1+ |
AlgorithmParameters
Algorithm | Supported API Levels |
---|---|
AES | 1+ |
BLOWFISH | 10+ |
ChaCha20 | 28+ |
DES | 1+ |
DESede | 1+ |
DH | 1+ |
DSA | 1+ |
EC | 26+ |
GCM | 22+ |
IES | 1-8 |
OAEP | 1+ |
PBEwithHmacSHA1AndAES_128 | 26+ |
PBEwithHmacSHA1AndAES_256 | 26+ |
PBEwithHmacSHA224AndAES_128 | 26+ |
PBEwithHmacSHA224AndAES_256 | 26+ |
PBEwithHmacSHA256AndAES_128 | 26+ |
PBEwithHmacSHA256AndAES_256 | 26+ |
PBEwithHmacSHA384AndAES_128 | 26+ |
PBEwithHmacSHA384AndAES_256 | 26+ |
PBEwithHmacSHA512AndAES_128 | 26+ |
PBEwithHmacSHA512AndAES_256 | 26+ |
PKCS12PBE | 1+ |
PSS | 1-8,24+ |
CertPathBuilder
Algorithm | Supported API Levels |
---|---|
PKIX | 1+ |
CertPathValidator
Algorithm | Supported API Levels |
---|---|
PKIX | 1+ |
CertStore
Algorithm | Supported API Levels |
---|---|
Collection | 1+ |
CertificateFactory
Algorithm | Supported API Levels |
---|---|
X.509 | 1+ |
Cipher
Algorithm | Modes | Paddings | Supported API Levels | Notes |
---|---|---|---|---|
AES | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
GCM | NoPadding | 10+ | ||
AES_128 | CBC ECB |
NoPadding PKCS5Padding |
26+ | |
GCM | NoPadding | 26+ | ||
AES_256 | CBC ECB |
NoPadding PKCS5Padding |
26+ | |
GCM | NoPadding | 26+ | ||
ARC4 | ECB | NoPadding | 10+ | |
NONE | NoPadding | 28+ | ||
BLOWFISH | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
10+ | |
ChaCha20 | NONE Poly1305 |
NoPadding | 28+ | ChaCha with 20 rounds, 96-bit nonce, and 32-bit counter as described in RFC 7539. |
DES | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
DESede | CBC CFB CTR CTS ECB OFB |
ISO10126Padding NoPadding PKCS5Padding |
1+ | |
RSA | ECB NONE |
NoPadding OAEPPadding PKCS1Padding |
1+ | |
OAEPwithSHA-1andMGF1Padding OAEPwithSHA-256andMGF1Padding |
10+ | |||
OAEPwithSHA-224andMGF1Padding OAEPwithSHA-384andMGF1Padding OAEPwithSHA-512andMGF1Padding |
23+ |
KeyAgreement
Algorithm | Supported API Levels |
---|---|
DH | 1+ |
ECDH | 11+ |
KeyFactory
Algorithm | Supported API Levels |
---|---|
DH | 1+ |
DSA | 1+ |
EC | 11+ |
RSA | 1+ |
X.509 | 1-8 |
KeyGenerator
Algorithm | Supported API Levels |
---|---|
AES | 1+ |
AESWRAP | 1-8 |
ARC4 | 14+ |
BLOWFISH | 10+ |
ChaCha20 | 28+ |
DES | 1+ |
DESede | 1+ |
DESedeWRAP | 1-8 |
HmacMD5 | 1+ |
HmacSHA1 | 11+ |
HmacSHA224 | 1-8, 22+ |
HmacSHA256 | 1+ |
HmacSHA384 | 1+ |
HmacSHA512 | 1+ |
RC4 | 10-13 |
KeyManagerFactory
Algorithm | Supported API Levels |
---|---|
PKIX | 1+ |
KeyPairGenerator
Algorithm | Supported API Levels |
---|---|
DH | 1+ |
DSA | 1+ |
EC | 11+ |
RSA | 1+ |
KeyStore
Algorithm | Supported API Levels |
---|---|
AndroidCAStore | 14+ |
AndroidKeyStore | 18+ |
BCPKCS12 | 1-8 |
BKS | 1+ |
BouncyCastle | 1+ |
PKCS12 | 1+ |
PKCS12-DEF | 1-8 |
Mac
Algorithm | Supported API Levels |
---|---|
DESMAC | 1-8 |
DESMAC/CFB8 | 1-8 |
DESedeMAC | 1-8 |
DESedeMAC/CFB8 | 1-8 |
DESedeMAC64 | 1-8 |
DESwithISO9797 | 1-8 |
HmacMD5 | 1+ |
HmacSHA1 | 1+ |
HmacSHA224 | 1-8, 22+ |
HmacSHA256 | 1+ |
HmacSHA384 | 1+ |
HmacSHA512 | 1+ |
ISO9797ALG3MAC | 1-8 |
PBEwithHmacSHA | 1+ |
PBEwithHmacSHA1 | 1+ |
PBEwithHmacSHA224 | 26+ |
PBEwithHmacSHA256 | 26+ |
PBEwithHmacSHA384 | 26+ |
PBEwithHmacSHA512 | 26+ |
MessageDigest
Algorithm | Supported API Levels |
---|---|
MD5 | 1+ |
SHA-1 | 1+ |
SHA-224 | 1-8, 22+ |
SHA-256 | 1+ |
SHA-384 | 1+ |
SHA-512 | 1+ |
SSLContext
Algorithm | Supported API Levels |
---|---|
Default | 10+ |
SSL | 10+ |
SSLv3 | 10-25 |
TLS | 1+ |
TLSv1 | 10+ |
TLSv1.1 | 16+ |
TLSv1.2 | 16+ |
SSLEngine
Algorithm | Supported API Levels | Enabled By Default |
---|---|---|
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 9-22 | |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | 9-22 | |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_DES_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_RC4_128_MD5 | 9-22 | |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 9-22 | 9-19 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | 9+ | 9-19 |
SSL_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_WITH_NULL_MD5 | 9-22 | |
SSL_RSA_WITH_NULL_SHA | 9-22 | |
SSL_RSA_WITH_RC4_128_MD5 | 9-25 | 9-19 |
SSL_RSA_WITH_RC4_128_SHA | 9-25 | 9-23 |
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 9-22 | 9-22 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 9-22 | 20-22 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DHE_DSS_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 9-25 | 9-25 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 9-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_DSS_WITH_DES_CBC_SHA | 1-8 | |
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_RSA_WITH_DES_CBC_SHA | 1-8 | |
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 1-8 | |
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | 1-8 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DH_anon_WITH_DES_CBC_SHA | 1-8 | |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 20-25 | 20-23 |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA | 20-25 | 20-23 |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_RSA_WITH_RC4_128_SHA | 20-22 | |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 20-22 | |
TLS_ECDH_anon_WITH_NULL_SHA | 20-22 | |
TLS_ECDH_anon_WITH_RC4_128_SHA | 20-22 | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 20+ | 20+ |
TLS_FALLBACK_SCSV | 21+ | |
TLS_NULL_WITH_NULL_NULL | 1-8 | |
TLS_PSK_WITH_3DES_EDE_CBC_SHA | 21-22 | |
TLS_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_RC4_128_SHA | 21-25 | |
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_3DES_EDE_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_AES_128_CBC_SHA | 9+ | 9+ |
TLS_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA | 9+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_RSA_WITH_DES_CBC_SHA | 1-8 | 1-8 |
TLS_RSA_WITH_NULL_MD5 | 1-8 | |
TLS_RSA_WITH_NULL_SHA | 1-8 | |
TLS_RSA_WITH_NULL_SHA256 | 20-22 |
SSLSocket
Algorithm | Supported API Levels | Enabled By Default |
---|---|---|
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_DSS_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | 9-22 | 9-19 |
SSL_DHE_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 9-22 | |
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | 9-22 | |
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_DES_CBC_SHA | 9-22 | |
SSL_DH_anon_WITH_RC4_128_MD5 | 9-22 | |
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_EXPORT_WITH_RC4_40_MD5 | 9-22 | 9-19 |
SSL_RSA_WITH_3DES_EDE_CBC_SHA | 9+ | 9-19 |
SSL_RSA_WITH_DES_CBC_SHA | 9-22 | 9-19 |
SSL_RSA_WITH_NULL_MD5 | 9-22 | |
SSL_RSA_WITH_NULL_SHA | 9-22 | |
SSL_RSA_WITH_RC4_128_MD5 | 9-25 | 9-19 |
SSL_RSA_WITH_RC4_128_SHA | 9-25 | 9-23 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 9-22 | 9-22 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 9-22 | 11-22 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 9-25 | 9-25 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 20-25 | 20-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 9-25 | 11-25 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 20-25 | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 20-25 | 20-25 |
TLS_DH_anon_WITH_AES_128_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA | 9-22 | |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 20-22 | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | 11-25 | 11-23 |
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 11+ | 11+ |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 20+ | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 24+ | 24+ |
TLS_ECDHE_RSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDHE_RSA_WITH_RC4_128_SHA | 11-25 | 11-23 |
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_ECDSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_ECDSA_WITH_RC4_128_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 11-22 | 11-19 |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 20-22 | |
TLS_ECDH_RSA_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_RSA_WITH_RC4_128_SHA | 11-22 | 11-19 |
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 11-22 | |
TLS_ECDH_anon_WITH_NULL_SHA | 11-22 | |
TLS_ECDH_anon_WITH_RC4_128_SHA | 11-22 | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 11+ | 11+ |
TLS_FALLBACK_SCSV | 21+ | |
TLS_PSK_WITH_3DES_EDE_CBC_SHA | 21-22 | |
TLS_PSK_WITH_AES_128_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_AES_256_CBC_SHA | 21+ | 21+ |
TLS_PSK_WITH_RC4_128_SHA | 21-25 | |
TLS_RSA_WITH_AES_128_CBC_SHA | 9+ | 9+ |
TLS_RSA_WITH_AES_128_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_128_GCM_SHA256 | 20+ | 20+ |
TLS_RSA_WITH_AES_256_CBC_SHA | 9+ | 11+ |
TLS_RSA_WITH_AES_256_CBC_SHA256 | 20+ | |
TLS_RSA_WITH_AES_256_GCM_SHA384 | 20+ | 20+ |
TLS_RSA_WITH_NULL_SHA256 | 20-22 |
SecretKeyFactory
Algorithm | Supported API Levels |
---|---|
AES | 23+ |
DES | 1+ |
DESede | 1+ |
HmacSHA1 | 23+ |
HmacSHA224 | 23+ |
HmacSHA256 | 23+ |
HmacSHA384 | 23+ |
HmacSHA512 | 23+ |
PBEwithHmacSHA1 | 1+ |
PBEwithHmacSHA1AndAES_128 | 26+ |
PBEwithHmacSHA1AndAES_256 | 26+ |
PBEwithHmacSHA224AndAES_128 | 26+ |
PBEwithHmacSHA224AndAES_256 | 26+ |
PBEwithHmacSHA256AndAES_128 | 26+ |
PBEwithHmacSHA256AndAES_256 | 26+ |
PBEwithHmacSHA384AndAES_128 | 26+ |
PBEwithHmacSHA384AndAES_256 | 26+ |
PBEwithHmacSHA512AndAES_128 | 26+ |
PBEwithHmacSHA512AndAES_256 | 26+ |
PBEwithMD5AND128BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5AND192BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5AND256BITAES-CBC-OPENSSL | 1+ |
PBEwithMD5ANDDES | 1+ |
PBEwithMD5ANDRC2 | 1+ |
PBEwithSHA1ANDDES | 1+ |
PBEwithSHA1ANDRC2 | 1+ |
PBEwithSHA256AND128BITAES-CBC-BC | 1+ |
PBEwithSHA256AND192BITAES-CBC-BC | 1+ |
PBEwithSHA256AND256BITAES-CBC-BC | 1+ |
PBEwithSHAAND128BITAES-CBC-BC | 1+ |
PBEwithSHAAND128BITRC2-CBC | 10+ |
PBEwithSHAAND128BITRC4 | 10+ |
PBEwithSHAAND192BITAES-CBC-BC | 1+ |
PBEwithSHAAND2-KEYTRIPLEDES-CBC | 1+ |
PBEwithSHAAND256BITAES-CBC-BC | 1+ |
PBEwithSHAAND3-KEYTRIPLEDES-CBC | 1+ |
PBEwithSHAAND40BITRC2-CBC | 1+ |
PBEwithSHAAND40BITRC4 | 10+ |
PBEwithSHAANDTWOFISH-CBC | 10+ |
PBKDF2withHmacSHA1 | 10+ |
PBKDF2withHmacSHA1And8BIT | 19+ |
PBKDF2withHmacSHA224 | 26+ |
PBKDF2withHmacSHA256 | 26+ |
PBKDF2withHmacSHA384 | 26+ |
PBKDF2withHmacSHA512 | 26+ |
SecureRandom
Algorithm | Supported API Levels |
---|---|
SHA1PRNG | 1+ |
Signature
Algorithm | Supported API Levels |
---|---|
DSA | 1+ |
DSAwithSHA1 | 1+ |
DSS | 1-19 |
ECDSA | 11+ |
ECDSAwithSHA1 | 11+ |
MD2withRSA | 1-3 |
MD4withRSA | 1-8 |
MD5withRSA | 1+ |
MD5withRSA/ISO9796-2 | 1-8 |
NONEwithDSA | 1+ |
NONEwithECDSA | 11+ |
NONEwithRSA | 17+ |
RSASSA-PSS | 1-8 |
SHA1withDSA | 1+ |
SHA1withECDSA | 11+ |
SHA1withRSA | 1+ |
SHA1withRSA/ISO9796-2 | 1-8 |
SHA1withRSA/PSS | 23+ |
SHA224withDSA | 20+ |
SHA224withECDSA | 20+ |
SHA224withRSA | 20+ |
SHA224withRSA/PSS | 23+ |
SHA256withDSA | 1+ |
SHA256withECDSA | 11+ |
SHA256withRSA | 1+ |
SHA256withRSA/PSS | 23+ |
SHA384withECDSA | 11+ |
SHA384withRSA | 1+ |
SHA384withRSA/PSS | 23+ |
SHA512withECDSA | 11+ |
SHA512withRSA | 1+ |
SHA512withRSA/PSS | 23+ |
TrustManagerFactory
Algorithm | Supported API Levels |
---|---|
PKIX | 1+ |