Re: JAR and JCE

Jan Luehe (luehe@laguna.eng.sun.com)
Mon, 27 Jul 1998 11:18:35 -0700 (PDT)

Date: Mon, 27 Jul 1998 11:18:35 -0700 (PDT)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: JAR and JCE
To: java-security@java.Sun.COM, David.Wadsworth@Canada

David:

> I have been reading about the JAVA Archive and the developer's ability to
> sign applets using JAR.
>
> Can you please tell me what the difference is, then, between JAR and JCE
> in this regard. My understanding was that JCE addressed the issue of
> bytecode authenticity.

JCE does not address the issue of bytecode authenticity.
That issue is addressed by *signed* JAR files.

JCE supplements the cryptography architecture in the JDK by
defining a framework for (and supplying implementations of)
encryption, session key generation and key agreement, and Message
Authentication Code (MAC) algorithms. JCE is supplied as a
JAR file itself.

Currently, there is only a standard for *signed* JAR files (using
the manifest specification and the "signedData" format defined in the
PKCS#7 standard), which protects the integrity and authenticity of the
bytecode in the signed JAR file.

However, this standard could easily be extended to also protect the
confidentiality of the class files in the JAR file (so that they
cannot be decompiled), by encrypting them. You could use JCE (or any
encryption tool) to encrypt the class files in your JAR file.
The recipient of your JAR file would have to implement a class loader
that knew how to recover the original (unencrypted) class files before
loading them.

Hope this helps.

Jan