Sunday, 21 September 2014

How to install Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files

Problem

JCE has been integrated into the Java 2 SDK since the 1.4 release.

Below diagram shows general overview of Java cryptographic architecture. What we are discussing in this post is related to JCE implementation provided by Sun/oracle.




As per the oracle documentation - 

Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the JDK 5.0 from Sun Microsystems specify that "strong" but limited cryptography may be used.

 That mean JDK has a deliberate key size restriction by default. So you cannot perform an encryption with key more than 128 bits. If you do you will get error something like -

Caused by: java.security.InvalidKeyException: Illegal key size or default parameters

If you get this Exception there is nothing wroing that you are doing. It's just the restriction on encryption key that comes built into the JDK.

The reason for this is that some countries have restrictions on the permitted key strength used in encryption algorithms.

Again as per the documentation - 

An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCE framework will enforce the restrictions specified in the installed jurisdiction policy files.

Finding maximum possible key length

To find maximum key length allowed by an encryption algorithm you can useCipher.getMaxAllowedKeyLength() method.  For example for AES algorithm you can do - 

int maxKeyLength = Cipher.getMaxAllowedKeyLength("AES");

Removing the maximum key size restriction

You can remove the maximum key restriction by replacing the existing JCE jars with unlimited strength policy jars.

 Download the zip file extract the jars and replace them in your JDK/JRE.

For this Copy local_policy.jar and US_export_policy.jar extracted from above zip file to the $JAVA_HOME/jre/lib/security 

Note: These jars will be already be present there so you will have to overwrite them.

Then simply restart you java application and the Exception should be gone.

 Alternate way to maximum encryption key size problem

This way is really a workaround. Infact this approach is workaround to all problems and it's not straightforward. Yeah you must have guessed it by now - Reflection

You can override the restriction with Reflection as follows - 

try {
Field field = Class.forName("javax.crypto.JceSecurity").
getDeclaredField("isRestricted");
field.setAccessible(true);
field.set(null, java.lang.Boolean.FALSE);
} catch (Exception ex) {
ex.printStackTrace();
}

Note 1 :  i do not recommend the Reflection approach as it's hacky. If you are using it keep it for testing only. Don't put it in production code :)

Note 2 : As the change of replacing policy files is in JDK itself you will have to do it in all your servers. Also you will have to ask all your clients to do so.


Related Links

How to exclude Outlook results from the Start Menu search in Windows 7

Background

If you are using Microsoft outlook as your Email client you would have noticed when you search from your Start button Outlook search results appear. Sometime it gets really irritating when we are searching for something specific and irrelevant outlook searches block the space. Outlook itself had very good search workflow integrated. My personal feeling is that we don't need it unless we are searching mails everyday from start menu. In this post we will see how we can remove outlook results from Windows 7 Start Menu search.

Have picked the following image from google search just to demonstrate how the results appear - 


Excluding Outlook results from Start Menu Search

  1. Click in Start button.
  2. Search for indexing options and click on it.

  3. Select Modify.
  4. Uncheck Microsoft outlook and press ok.


  5. Close the indexing options box.
  6. Outlook searches should no longer appear in Win 7 start menu searches.

Starting and Stopping process in Windows from command Line

Background

In Windows it's all UI. Most people just double click on the icons or shortcuts to run the programs. Click on the cross icon to close it. Though it makes life easier as a programmer we should also know how to do the same using command line. Specially if you are wiring a program to do such a thing. In Linux/Unix it's quite easy. To start a process simply add it to the PATH and call the process. For example simply open the console and type 'firefox'. That should launch firefox  for you. If you want to stop the process you can execute kill -9 processId. Lets see how can we do the same in Windows.

Prior to starting to lean command lets see how can we open the command line - 

One way is
  1. Press Ctrl + R . This should open the "Run" prompt for you.
  2. In this prompt type "cmd" (without quotes) and hit enter.


Or you can open it from start button .
  1. Click on start button.
  2. Search for cmd or command and you should see cmd.exe or command prompt. Both are same. Click on it.


Note if you want to perform some administrative action you need to start the command prompt as Administrator  . To do so -
  1. Click on start button
  2. Search for cmd or command. Right click on cmd.exe or command prompt  and select Run as Administrator.

Getting PID of a process

  1. To get PID of a process is Windows command is tasklist. (Like in Linux we have ps command) 
  2. You can also get it using wmic (Windows Management Instrumentation Command-line) utility (Get PID of specific process). You need to execute following command (explorer.exe is an example)-

    wmic process where "caption='explorer.exe'" get caption,processId


 

Starting a Process

Starting a process is quite easy. All you have to do is run the following in command line -

start commandName

For example lets say you want to start notepad you can simply type the following in cmd - 

start notepad

Stopping a Process

 One way to stop or terminate Windows process from command line is via the PID of the process. To get the PID use one of the way described in Getting PID of process section  above.
Then to stop a process use the command -

taskill /f /pid pidOfProcess

Complete process (stop and start) of a process is shown in below screenshot -


Important Note : /F option is taskkill denotes force kill. Your unsaved data might be lost!

Note : You can do all the above using Task manager [Ctrl + Shift + Esc] too (UI based). Above method is just a way to do it via command line. It will be specially useful when writing program to execute process like runtime.getruntime().exec() in java.

t> UA-39527780-1 back to top