4

I have created a Java application which needs to be distributed to a wide array of users, who do have JRE installed, but mostly won't have JCR Unlimited Strength Policy jar files in their JRE (as these need to be dropped in manually and aren't bundled with JRE installation).

Now, I've read at a couple of places that due to licensing restrictions, JCE files cannot be bundled with the application that needs to be deployed and must be downloaded and dropped into JRE manually. Is this true? If so, is there no way I can ship these files! A different problem doing so is to keep track of the JRE version - as there are different JCE jars for different version of JRE. So I might have to bundle JCE jars for JRE 1.4 through 1.7 (this is what my app support).

Is there an alternative to JCE unlimited strength policy files? BountyCastle also requires these files. The only thing that I am doing with these files is AES256 encryption. Any alternatives would be helpful.

Thanks

Cratylus
  • 52,998
  • 69
  • 209
  • 339
Rohan
  • 871
  • 1
  • 16
  • 32

2 Answers2

3

The Bouncy Castle provider requires these files, and only for a JRE that uses these policy files (but since that is Oracle, I guess you are stuck).

In desperate times you may want to encrypt using the Bouncy Castle lightweight API (classes starting with org.bouncycastle). The disadvantage of course is that it requires a rewrite, that the API is not as nice. The lightweight API can also not be used to plugin into implementations of higher level protocols such as JSSE (SSL) and CMS.

Or, finally, you can keep within the bounds of the restricted rules of course. AES-128 is pretty strong stuff (actually, you may wonder what the difference is when deploying AES-128 over AES-258 for practical purposes).

sourcenouveau
  • 29,356
  • 35
  • 146
  • 243
Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Do you think aes128 would be strong enough (though not as strong as 256) for corporate level encryption! Can you recommend me a couple of links which shows the analysis done so far so that I can go through it and conclude on the algo. – Rohan Aug 17 '12 at 20:28
  • Just check keylength.com and if you don't trust that look at the recommendations by ECRYPT II and NIST that they refer to. AES 128 should be under "long term protection". AES-128 in general is ample, I would only go higher for very long lived documents that need top protection (or if there are no other reasons not to go for the maximum). – Maarten Bodewes Aug 18 '12 at 01:16
  • 3
    FWIW it's not the US Goverment's export laws that are the problem, it's several countries' *import* laws. From the Oracle JCE 7 README: "JCE for Java SE 7 has been through the U.S. export review process. The JCE framework ... is exportable. ... Due to the import restrictions of some countries, the jurisdiction policy files distributed with the Java SE 7 software have built-in restrictions on available cryptographic strength." So I've the US blame from your answer. – sourcenouveau Sep 10 '14 at 19:20
  • @M.Dudley You are right of course. Still strange that no other runtime has those kind of restrictions. – Maarten Bodewes Sep 10 '14 at 21:06
  • 1
    @owlstead The impetus is really on the user (importer) of the cryptography for compliance with local laws. Oracle is just making it possible/easier for them to do so, presumably because they want to do business in those countries ([China, Russia, Israel, etc.](http://www.cryptolaw.org/cls2.htm)). I don't know why Microsoft has not done similarly with .NET--perhaps they have a different interpretation of the various import laws, or perhaps the cost/benefit is too high. Smaller companies and FOSS projects probably just do not have the resources to worry about this kind of thing. – sourcenouveau Sep 11 '14 at 12:12
  • 1
    The problem is that it annoys the rest of the community immensely. Each and every JDK has to be patched in the field, or may run into problems later on. If they just provided a separate download of the entire JDK *with* the restrictions. Then it is up to the backward country to block the regular download with firewall rules (or laws). – Maarten Bodewes Sep 11 '14 at 12:29
1

These files are required in order to do cryptography in your program that is higher than some countries' import laws allow.

The jre by default does not carry the unlimited policy, but it is a separate download depending on the country's policy.

A different problem doing so is to keep track of the JRE version - as there are different JCE jars for different version of JRE. So I might have to bundle JCE jars for JRE 1.4 through 1.7 (this is what my app support).

You don't need to do that. The user who installs the jre in his machine will install also the appropriate files and your code using JCA/JCE or JSSE should not be affected.

Now I don't know what are the licensing issues for your application to carry the jre preconfigured with all you need to run in the target system and if it is a valid alternative

sourcenouveau
  • 29,356
  • 35
  • 146
  • 243
Cratylus
  • 52,998
  • 69
  • 209
  • 339
  • Thanks for reaching out with help. I actually won't be deploying the solution manually.. its a part of an application which will be installed at the client end which requires that the data that's sent to the server be AES256 encrypted. Now the client deployment can be anywhere from 10 to 1000 depending on size of the company.. its not possible to ask each one of those to go to oracle's website and then manually download the jars and push them in. These would be mostly non-tech people refraining from such operations :) – Rohan Aug 17 '12 at 20:25
  • Why not?The client software will be installed individually on each machine anyway as you say. It will be 1 extra manual step – Cratylus Aug 17 '12 at 20:32
  • The problem is that non-technical users just don't know how to install those files. They will have difficulties even when following a step-by-step guide. And what if the user doesn't have administrative privileges on the computer? – ntoskrnl Sep 15 '14 at 12:48
  • @ntoskrnl:You can create a script that takes care of these things (i.e. check the jre version and download and copy the files). `And what if the user doesn't have administrative privileges on the computer?` Are you talking about Windows or Linux? – Cratylus Sep 16 '14 at 20:55