Mutable fields should be private or possibly package-protected, never protected or public.
Once a field is published, it's impossible to ensure that it is properly synchronised, and it is impossible to change the implementation without API breakage.
Only constants should be published.
If there is really a need to access the field externally, this should be done through getters/setters, as those allow synchronisation to be added and make it easier to change the implementation.
Also, it's easy to add a getter/setter later if access is found to be needed.
Don't add one 'just in case' because it cannot easily be removed.
This observation applies to:
CipherInputStream - lots of protected mutable state
CipherOutputStream - ditto