Distributing software with unlimited strength JCE policy files

I'm about to release some software that uses AES 256-bit encryption. I had to download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6" to do this level of encryption. I'd like to distribute my software with a bundled version of the JRE that includes these policy files. The software will be available to download from the Internet for those who pay for the service. Placing it on the Internet is technically an export because it's available to anyone in the world.
I've talked to the Bureau of Industry and Security and they said I need to file for a classification number (ECCN). Is this necessary if I'm using Sun's software? The JCE has already been through the export approval process so it would make sense if just including it in my software required nothing. I haven't been able to find any information about what to do legally if using the unlimited strength policy files. What laws do I need to know about or comply with to do this? Also, are there any legal ramifications of including the JRE with my software? I'm using a custom jre launcher that lets me bundle whatever jre I want with my software, so I assume it's a common practice, but I'm not sure.
Any help would be appreciated.

I posted this question on other sites as well, but never heard any good answers.
I've had to do some research and I've heard a few different things, but this is what I've learned:
Software being exported (putting on the Internet is an export) that contains symmetric encryption above 64-bit requires filling out a BIS-748P form. I had to first of all request a PIN and CIN (company id number) from the BIS so that I can access their SNAP-R system which is where you fill out and submit all the paper work (including the BIS-748P) online. I haven't filled that out yet, but once you do they will review your software and classify it with an ECCN number and depending on what if falls under they will require you to obtain a license or license exception. For what I'm doing (and what most probably need this for), a license is not needed. It's simply classified as a type of encryption software and they know who you are and what you're doing with it.
Until this is filed, the software is under a certain statute as to what you can do with it and there's a lot of legalities behind this entire process that I don't fully understand, but I think filling this paperwork out and talking to those who receive it is a good place to start.
I'm not a lawyer by any means and I could be missing some details, but this is what I understand about the process. If you learn anything else (or find some of this to be untrue), let me know.

Similar Messages

  • Replace the JCE Unlimited Strength Jurisdiction Policy files - SAP JVM 5

    Hi Experts,
    I had a NetWeaver 7.1 system with SAP JVM 5. I tried to run a cryptography software on the system, but the current JCE Unlimited Strength Jurisdiction Policy files of the JVM limited encryption algorithms and key lengths.
    I downloaded the jce_policy-1_5_0.zip file from the Sun website, unzipped it, replaced the old policy files (sapjvm_5/jre/lib/security/local_policy.jar and sapjvm_5/jre/lib/security/US_export_policy.jar) with the new ones, then restarted the server. But, after the server was restarted, the new policy files were deleted and the old ones were restored.
    Could you tell me what should I do to apply the new policy files?
    Thanks in advance.
    Victor

    Issue Resolved..with help of OSS note :739043
    EP 6.0 SP15.... I had same issue for Portal prodution:
    I had  copied new files (local_policy.jar and US_export_policy.jar) in directory /opt/java1.4/jre/lib/security
    Jun 16  2003 local_policy.jar
    -rw-rr   1 root       sys           4355 Jun 16  2003 US_export_policy.jar
    -rw-rr   1 root       sys           2910 Aug  2  2007 local_policy.1.jar
    -rw-rr   1 root       sys           2429 Aug  2  2007 US_export_policy.1.jar
    -rrr--   1 bin        bin           2910 Dec 12 10:14 local_policy.2.jar
    -rrr--   1 bin        bin           2429 Dec 12 10:14 US_export_policy.2.jar
    -rrr--   1 bin        bin           2223 Dec 12 10:25 java.policy
    -rrr--   1 bin        bin           6871 Dec 12 10:25 java.security
    -rrr--   1 bin        bin          41278 Dec 12 10:25 cacerts
    Thanks,
    Hari

  • Software distribution and Unlimited Strength Jurisdiction Policy Files

    I suppose, I'm NOT allowed to ship the Unlimited Strength Jurisdiction Policy Files (USJPF) with my application,
    even if living in Germany and not selling abroad, right?
    So I see 2 possibilities:
    - Use weaker encryption by default and encourage the users to download the USJPF by themself.
    - Implement a stronger encryption on the base of the weaker one by encrypting several times, let say in the way 3DES works.
    I'm quite sure, I'm not the only one facing such a problem, how do you solve it?

    The export of cryptography is usually contingent on the laws of the country that you live in. As a US citizen, I know that I cannot ship unlimited strength cryptography to specific countries without a permit. You should check what German law allows you to do (I was under the impression that Germany did not have such controls, but that impression could be dated) and read the license accompanying the USJPF in Germany, to see what restrictions are placed on it.
    Another option is to use a provider fhat is developed outside the US. I know that BouncyCastle is developed in Australia, so the US restrictions would not apply to them. Have you checked their licensing agreement to see what you're allowed to do with their provider files?

  • Java: Where are JCE Unlimited Strength Jurisdiction Policy Files for Java for Mac OS X 10.7?

    I need to install the JCE Unlimited Strength Jurisdiction Policy Files for Java 1.6 under Mac OS X 10.7.  I know where to get then from the Sun/Oracle Java download site, but want to make sure that these will work on the Mac.  Or, are there Mac specific versions somewhere?

    There's a  jce.jar file in /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/, so it appears that they're already in place, but that's just a WAG.

  • (JCE) Unlimited Strength Jurisdiction Policy Files

    I have got my program up and running, but now i keep the following error:
    "java.security.InvalidKeyException: Illegal key size or default parameters"
         at javax.crypto.Cipher.a(DashoA13*..)
         at javax.crypto.Cipher.a(DashoA13*..)
         at javax.crypto.Cipher.a(DashoA13*..)
         at javax.crypto.Cipher.init(DashoA13*..)I have read up on it but i need to install the JCE policies. Bluej is the compiler that i am using. How to do i install the policies into this compiler. Stupid question Isuppose but any help will be appreciated.
    Thanks in adavance

    Parry1982 wrote:
    I have the local_policy.jar & US_export_policy.jar install in the following directory;
    C:\ProgramFiles\Java\jdk1.6.0_16\jreThat is not where the installation instructions tells you to put them. You did read the installation instructions didn't you?

  • Override JCE default (limited strength) jurisdiction policy files

    Hi!
    I am writing an applet, which has to decrypt encrpyted file with some simetric algorithm, e.g. PBEWithMD5AndTripleDes. Due llimitations of key lengths in default (limited strength) jurisdiction policy files for JCE I cannot use for example TripleDES with 168 bit key or. Blowfish with 400 bit key.
    I know I can obtain Unlimited version of these files from java.sun.com and replace this files in JDK/JRE installation directory. That's ok for us at server side, but disaster at client (applet) side, because we must modify installation of JRE on every computer where user want to use applet and update it every time when JRE is being updated.
    So me question is: is there any way to distribute unlimited jurisdiction files with an applet (I know how to include *.jar files) and make it work? For example via endorsed mechanism, setting some security property, reloading JCE?
    Thanks for help!

    You can't override them. Since the restriction apply only to the JCE, your best bet is to use the lightweight API from Bouncy Castle which does not use the JCE.

  • Differences in JCE policy files between java 1.4 and 1.5?

    I'm using a app that needs JCE unlimited strength policy files to start. Attempting to start with limited strength policy files with Java 1.4 installed will give:
    java.security.InvalidKeyException: InitVerify error: java.lang.RuntimeException: engineGetKeySize() is not supported by this cipher!
    however, running the same app on java 1.5 with limited strength policy files does not give this problem. I've checked http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppE and http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#AppE and the maximum allowed keysizes are identical. Has something else changed in the JCE policy files between these java versions? Can anyone tell me what's going on?

    Incubus wrote:
    say I have a code that does:
    public void StringConcat(){
    int noOfIter = 10000;
    for(int i = 0; i < noOfIter; i++){
    String s = "String " + i + " Being " + i + "concatenated " + i + "using " + i + "String" + i + "Builder";
    If I compile this in 1.4 ( i.e using javac -source 1.4); the decompiled code looks the same.
    But if I do so in 1.5 ( i.e if I decompile the same code compiled using javac -source 1.5), this is how it looks:
    public void StringConcat(){
    int noOfIter = 10000;
    for(int i = 0; i < noOfIter; i++){
    String s = (new StringBuilder).append("String ").append( i).append( " Being ").append( i).append( "concatenated ").append( i).append( "using ").append( i).append( "String").append( i).append( "Builder").toString();
    The above was the compile time optimization I was talking about.What makes you think that the decompiler is not the problem?
    The ONLY difference between 1.5 and 1.4 in that case is that one uses StringBuilder and one uses StringBuffer. And StringBuffer is faster.
    Just wanted to know, are there any other differences in compile time optimizations between 1.4 and 1.5.I suggest that you go look at the read me. And I also suggest that you become familar with byte codes and stop assuming that a decompiler is going to tell you anything.

  • Installing JCE with unlimited strength version

    I have downloaded the file jce_policy-1_4_2.zip and kept
    it in java-> lib-> security with unzipped format.
    But when I compiled my program requiring this file it's showing
    compilation error.
    please mail me what to do?I am in problem.
    Actually I am doing 256bit data encryption, which required the
    above mentioned file. So please suggest me what to do.

    Olek wrote:
    Ok,
    This problem is solved. I've found the unlimited policy files
    for a jdk 1.5 version... for the newest jdk version it is impossible to find it!?
    The 1.5 version works for me.
    Err ... the last download on http://java.sun.com/javase/downloads/?intcmp=1281 .

  • Java Kernel and the "Unlimited Strength Java Crypto Extension Policy Files"

    Is Java Kernel able to download and install on-demand the "Unlimited Strength Java(TM) Cryptography Extension Policy Files"?
    Currently, I have to instruct the users of my applications to download those policy files from Sun's website and follow the installation instruction. I haven't received any positive feedback from my users when I told them to do this task. I understand them. Manual installation of this files really suck especially for lay men.
    So, with Java Kernel, what's the plan? Can I hope for something better?

    I believe, for US export-control reasons, the Unlimited Strength JCE policy files are never automatically downloadable by the JVM - they have to be explicitly downloaded and configured. However, you could download it yourself, configure the JVM with the policy files, create your own ZIP/JAR file and internally distribute it to your users through your intranet. But, if you do this, you are responsible for complying with the applicable export laws of your country, and perhaps, Sun licensing terms for redistributing the JVM.

  • JCE Unlimited Strength 11gR2 problem

    We download the unlimited strength JCE policy files (Java 1.5) and replaced local_policy.jar and US_export_policy.jar in javavm but no change in our error.
    we did not find useful and exact solution for 11g, need extra steps? thanks.

    we allocated the problem, we use BouncyCastle in database with loadjar and Oracle does not find the BC, error is
    KeyGenerator not available
    what is the solution? or a bug?

  • How to refer the unlimited key length JCE jar files.

    Hi All,
    The JDK 1.4.2_10 contains the local_policy.jar and US_export_policy.jar that do not permit an unlimited Key length( 64 bit).
    - So I downloaded the unlimited ( Java(TM) Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2
    ) https://jsecom15d.sun.com/ECom/EComActionServlet;jsessionid=0F59ACFF95A61F6C0E78B5CE8E0FA93B.
    -Now I want JDK to refer these files without changing anything in existing JDK ( Means I don't want to replcae the existing local_policy.jar , US_export_policy.jar ).
    - Is there any option or property which can tell the JDK to refer the other
    files instead of this location :- C:\bea\WLS8.1SP04\jdk142_05\jre\lib\security.
    Means I want to override these 2 existing files local_policy.jar , US_export_policy.jar without replcaing them.
    Any pointers will be highly appreciated.

    A year later, this is still an issue. No replies ( btw, this is my new login name for the forums ).
    Thank You.

  • Can using BouncyCastle be an alternative to installing the policy files?

    Hey, sorry if this is a dumb question but I have been looking into this all day.
    I want to write a program that incorporates unlimited strength encryption, but installing the JCE Unlimited Strength Jurisdiction Policy Files is not an option (I can do it on one of the development machines, but I don't have write access to JAVAHOME on the other, and I can't expect every user of the program to install these files).
    Now I know that if I specify BouncyCastle as a provider when using JCE, I still have to install the above files... but what if I don't use JCE and I use the algorithms provided (handily without any form of documentation whatsoever) by BouncyCastle - can this be a workaround? I've heard conflicting views on this.
    If this isn't the case, can anyone please point me in the right direction of what I could do instead? Ie. if there was some way to include these files in the classpath rather than actually install them.
    Also, if using BC is a solution to problem, I would really appreciate it if anyone has such an example of AES-256 encryption and decryption with CBC and padding that they could point me in the direction of, I am having a real issue figuring out the BC API.
    Thank-you so much if you can help me.

    As long as you use the BouncyCastle lightweight crypto API rather than the JCE you should not encounter any of the JCE's restrictions. This means you cannot use Cipher.getInstance("Whatever/ABCCBC/TooMuchPadding", "BC"). Just include the lightweight api jar in your class path; the source is here: http://www.bouncycastle.org/download/lcrypto-jdk1<whatever>-139.zip
    I haven't played with bouncycastle in awhile, but I think something like this will get you started:
    BlockCipher aes = new AESEngine();
    CBCBlockCipher aes_cbc = new CBCBlockCipher(aes);
    byte [] key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}; // 16 bytes for AES-128
    CipherParameters params = new KeyParameter(key);
    aes_cbc.init(true, params);
    //...

  • Jurisdiction policy files are not signed by trusted signers!

    Hi All,
    I am getting the following Security exception while running a Java stand-alone program on Linux.
    The stand-alone program internally calls the JCE (Java Cryptography Extension) library for Encryption of data. The JCE Unlimited Strength Jurisdiction policy files are downloaded from Sun.
    Does anybody have the solution for this error?
    Is there Security policy modification to be made for the same?
    Exception in thread "main" java.lang.ExceptionInInitializerError
    at javax.crypto.Cipher.a(Unknown Source)
    at javax.crypto.Cipher.getInstance(Unknown Source)
    at lncrypt.LnCryptBase.encryptImpl(LnCryptBase.java:122)
    at lncrypt.LnAes.encrypt(LnAes.java:78)
    at CloakingUtils.encrypt(CloakingUtils.java:69)
    at AlertsMigrationSweepUtil.updateAlerts(AlertsMigrationSweepUtil.java:203)
    at AlertsMigrationSweepUtil.main(AlertsMigrationSweepUtil.java:65)
    Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
    at javax.crypto.e.<clinit>(Unknown Source)
    ... 7 more
    Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
    at javax.crypto.e.a(Unknown Source)
    at javax.crypto.e.a(Unknown Source)
    at javax.crypto.e.g(Unknown Source)
    at javax.crypto.f.run(Unknown Source)
    at java.security.AccessController.doPrivileged1(Native Method)
    at java.security.AccessController.doPrivileged(AccessController.java:351)
    ... 8 more
    Regards,
    Vilas Kulkarni

    Make sure that which javaindicates the Java executable you expect.

  • Jce policy

    Where can i downlosd jck policy for Netweaver 7.1 trail version

    As suggested by the installer, go to http://java.sun.com/javase/downloads/index_jdk5.jsp and scroll down to Other Downloads -> Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0.
    HTH!
    -- Vladimir

  • Installation error in JCE policy

    I am getting an error while installing NW 2004s SR1 while giving JCE policy path.
    Java version:j2sdk1.4.2_13
    Error is:
    ERROR 2007-12-12 15:02:55
    FCO-00011  The step collect with step key |NW_Onehost|ind|ind|ind|ind|0|0|NW_Onehost_System|ind|ind|ind|ind|1|0|NW_GetSidNoProfiles|ind|ind|ind|ind|1|0|collect was executed with status ERROR .
    ERROR 2007-12-12 15:02:55
    MOS-01185  The subkey 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\McAfeeFramework' does not exist on the 'localhost' host.
    Pls help out of this problem

    Hello,
    I am having trouble installing
    SAP NetWeaver 2004s Java Trial Version (SP9)
    I get to the screen JCE unlimited strength jurisdiction policy archive,
    then I put the file C:\jce_policy-1_4_2\jce.
    It gives me error. It says the file does not exist.
    I downloaded the above file from sun web site, "http://java.sun.com/j2se/1.4.2/download.html".
    Can anyone help?
    The above file C:\jce_policy-1_4_2\jce\ contains
    local_policy.jar and US_export_policy.jar.
    Am I doing the right thing? Can anyone help?
    Thanks,
    Ajay Dharia

Maybe you are looking for

  • Number of concurrent users

    how can I find the number of concurrent users in oracle 10g; thank you

  • AnyConnect - Posture Assessment Failed: Unable to get the available CSD version....

    Hello all I am attempting to get the HostScan posture assessment working so we can check that any device connecting to the ASA is a valid corporate asset. I have installed the posture module onto our test client machine (Windows 8.1) using the follow

  • False Positives with GRC AC 5.2

    Hi, I actually have been working with GRC AC 5.2 (Compliance Calibrator) and we encountered several problems with false positives, working in the risk analysis. ¿do anyone knows how to solve this problem? ¿do you have documents or links to help? Than

  • Dates driving me madd

    I have a form whcih updates to an access database. The users uses a calendar box to enter the date in the form and this enters fine. I need a search page to find the information based on the search date. I have the search page and results page but ca

  • Oracle ADF Mobile Framework for native mobile applications

    Hi All, Has anybody tell me the roadmap from Oracle for the new release of Oracle Mobile Client (Native Mobile Application Development). What is the tentative release date for the new framework? Regards, Muthulakshmi