Sunday, 21 September 2014

How to install Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files

Problem

JCE has been integrated into the Java 2 SDK since the 1.4 release.

Below diagram shows general overview of Java cryptographic architecture. What we are discussing in this post is related to JCE implementation provided by Sun/oracle.




As per the oracle documentation - 

Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the JDK 5.0 from Sun Microsystems specify that "strong" but limited cryptography may be used.

 That mean JDK has a deliberate key size restriction by default. So you cannot perform an encryption with key more than 128 bits. If you do you will get error something like -

Caused by: java.security.InvalidKeyException: Illegal key size or default parameters

If you get this Exception there is nothing wroing that you are doing. It's just the restriction on encryption key that comes built into the JDK.

The reason for this is that some countries have restrictions on the permitted key strength used in encryption algorithms.

Again as per the documentation - 

An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCE framework will enforce the restrictions specified in the installed jurisdiction policy files.

Finding maximum possible key length

To find maximum key length allowed by an encryption algorithm you can useCipher.getMaxAllowedKeyLength() method.  For example for AES algorithm you can do - 

int maxKeyLength = Cipher.getMaxAllowedKeyLength("AES");

Removing the maximum key size restriction

You can remove the maximum key restriction by replacing the existing JCE jars with unlimited strength policy jars.

 Download the zip file extract the jars and replace them in your JDK/JRE.

For this Copy local_policy.jar and US_export_policy.jar extracted from above zip file to the $JAVA_HOME/jre/lib/security 

Note: These jars will be already be present there so you will have to overwrite them.

Then simply restart you java application and the Exception should be gone.

 Alternate way to maximum encryption key size problem

This way is really a workaround. Infact this approach is workaround to all problems and it's not straightforward. Yeah you must have guessed it by now - Reflection

You can override the restriction with Reflection as follows - 

try {
Field field = Class.forName("javax.crypto.JceSecurity").
getDeclaredField("isRestricted");
field.setAccessible(true);
field.set(null, java.lang.Boolean.FALSE);
} catch (Exception ex) {
ex.printStackTrace();
}

Note 1 :  i do not recommend the Reflection approach as it's hacky. If you are using it keep it for testing only. Don't put it in production code :)

Note 2 : As the change of replacing policy files is in JDK itself you will have to do it in all your servers. Also you will have to ask all your clients to do so.


Related Links

2 comments:

t> UA-39527780-1 back to top