16

I was told that in order to support AES256 encryption inside my Java app that I would need the JCE with Unlimited Strength Jurisdiction Policy Files.

I downloaded this from Oracle and unzipped it and I'm only seeing 2 JARs:

  • local_policy.jar; and
  • US_export_polic.jar

I just want to confirm I'm not missing anything here! My understanding (after reading the README.txt) is that I just drop these two into my <JAVA_HOME>/lib/security/ directory and they should be installed.

By the names of these JARs I have to assume that its not the Java Crypto API that cannot handle AES256, but it's in fact a legal issue, perhaps? And that these two JARs basically tell the JRE "yes, it's legally-acceptable to run this level of crypto (AES256)." Am I correct or off-base?

herpylderp
  • 2,017
  • 3
  • 21
  • 27

1 Answers1

14

The following blog post answers your questions:

http://blogs.adobe.com/livecycle/2011/10/configuring-the-jdk-for-rights-management-encryption-using-aes-256-bit-keys.html

You effectively need the two JARs to be able to use AES256 encryption, and you need to perform the following steps, and I quote:

Copy the two JAR files to the your JDK’s /jre/lib/security/ folder, replacing the similarly named files that are already there.

Now, to the second part of your question: yes, it is dues to legal issues:

Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped specify that “strong” but limited cryptography may be used. An “unlimited strength” version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the “strong” version can be imported into those countries whose governments mandate restrictions. The JCE framework will enforce the restrictions specified in the installed jurisdiction policy files.

Also, there is a related Q/A on the Security Stack: Export laws on the cloud (key size). Although the question is specific to the cloud, the main answer covers more ground than just the "cloud" and lists the countries you cannot get a license to sell your software to and those for which your require an import permit.

Finally, you may find more information on Wikipedia about the Export of cryptography in the United States.

Community
  • 1
Jalayn
  • 9,789
  • 4
  • 39
  • 58
  • So it is a workaround for a law that really doesn't work... Interesting. – Zbyszek Dec 21 '17 at 11:48
  • I'm still confused. Why does JRE come with lib/security/policy/unlimited and limited subfolders which seem to replicate these files? Thus, there are no files to replace in security folder, they are deeper. Can I delete the policy folder if I follow the readMe precisely? Size is an issue for us. – gunslingor Jun 13 '19 at 13:24