In this chapter, we’re going to look at the API that implements the ability to create and verify message digests. The ability to create a message digest is one of the standard engines provided by the Sun default security provider. You can therefore reasonably expect every Java implementation to create message digests.

Message digests are the simplest of the standard engines that compose the security provider architecture, so they provide a good starting point in our examination of those engines. In addition, message digests provide the first link in creating and verifying a digital signature—the most important goal of the provider architecture. However, message digests are useful entities in their own right, since a message digest can verify that data has not been tampered with—up to a point. As we’ll see, there are certain limitations on the security of a message digest that is transmitted along with the data it represents.

Message digests are implemented through a single class:

In Java 1.1, there is no MessageDigestSpi class, and the MessageDigest class simply extends Object. That difference is important only if you want to implement your own message digest class, which we’ll do later in the chapter.

Like all engines in the Java security package, the MessageDigest class (java.security.MessageDigest) is an abstract class; it defines an ...