Unlimited Strength Policy File

Similar Messages

• How to install unlimited strength policy files with 2003 windows server

  Hi all,
  I am working on encryption AES 256 bit key encryption.
  128 is default encryption key.But for use 256 bit encryption key need to add unlimited strength policy file with jdk.
  That is working fine on windows xp.
  Now problem
  But when i run on client machine with operating system windows 2003 server standard.
  I replaced all files under folder Java\jdk1.6.0_10\jre\lib\security with files which i am using on windows XP.
  Restarted the computer after update files but on windows server 2003 256 bit key encryption not working.
  Giving following exception
  java.security.InvalidKeyException: Illegal key size or default parameters
       javax.crypto.Cipher.a(DashoA13*..)
       javax.crypto.Cipher.a(DashoA13*..)
       javax.crypto.Cipher.a(DashoA13*..)
       javax.crypto.Cipher.init(DashoA13*..)
       javax.crypto.Cipher.init(DashoA13*..)
  Please suggest me how to run encryption on windows server 2003..
  Thanks
  Anu

  anu1106 wrote:
  I replaced all files under folder Java\jdk1.6.0_10\jre\lib\security with files which i am using on windows XP.Why? Why not just install the unlimited strength files in the normal way according to the installation instructions given in the distribution file?

• Distributing software with unlimited strength JCE policy files

  I'm about to release some software that uses AES 256-bit encryption. I had to download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6" to do this level of encryption. I'd like to distribute my software with a bundled version of the JRE that includes these policy files. The software will be available to download from the Internet for those who pay for the service. Placing it on the Internet is technically an export because it's available to anyone in the world.
  I've talked to the Bureau of Industry and Security and they said I need to file for a classification number (ECCN). Is this necessary if I'm using Sun's software? The JCE has already been through the export approval process so it would make sense if just including it in my software required nothing. I haven't been able to find any information about what to do legally if using the unlimited strength policy files. What laws do I need to know about or comply with to do this? Also, are there any legal ramifications of including the JRE with my software? I'm using a custom jre launcher that lets me bundle whatever jre I want with my software, so I assume it's a common practice, but I'm not sure.
  Any help would be appreciated.

  I posted this question on other sites as well, but never heard any good answers.
  I've had to do some research and I've heard a few different things, but this is what I've learned:
  Software being exported (putting on the Internet is an export) that contains symmetric encryption above 64-bit requires filling out a BIS-748P form. I had to first of all request a PIN and CIN (company id number) from the BIS so that I can access their SNAP-R system which is where you fill out and submit all the paper work (including the BIS-748P) online. I haven't filled that out yet, but once you do they will review your software and classify it with an ECCN number and depending on what if falls under they will require you to obtain a license or license exception. For what I'm doing (and what most probably need this for), a license is not needed. It's simply classified as a type of encryption software and they know who you are and what you're doing with it.
  Until this is filed, the software is under a certain statute as to what you can do with it and there's a lot of legalities behind this entire process that I don't fully understand, but I think filling this paperwork out and talking to those who receive it is a good place to start.
  I'm not a lawyer by any means and I could be missing some details, but this is what I understand about the process. If you learn anything else (or find some of this to be untrue), let me know.

• Differences in JCE policy files between java 1.4 and 1.5?

  I'm using a app that needs JCE unlimited strength policy files to start. Attempting to start with limited strength policy files with Java 1.4 installed will give:
  java.security.InvalidKeyException: InitVerify error: java.lang.RuntimeException: engineGetKeySize() is not supported by this cipher!
  however, running the same app on java 1.5 with limited strength policy files does not give this problem. I've checked http://java.sun.com/j2se/1.5.0/docs/guide/security/jce/JCERefGuide.html#AppE and http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/JCERefGuide.html#AppE and the maximum allowed keysizes are identical. Has something else changed in the JCE policy files between these java versions? Can anyone tell me what's going on?

  Incubus wrote:
  say I have a code that does:
  public void StringConcat(){
  int noOfIter = 10000;
  for(int i = 0; i < noOfIter; i++){
  String s = "String " + i + " Being " + i + "concatenated " + i + "using " + i + "String" + i + "Builder";
  If I compile this in 1.4 ( i.e using javac -source 1.4); the decompiled code looks the same.
  But if I do so in 1.5 ( i.e if I decompile the same code compiled using javac -source 1.5), this is how it looks:
  public void StringConcat(){
  int noOfIter = 10000;
  for(int i = 0; i < noOfIter; i++){
  String s = (new StringBuilder).append("String ").append( i).append( " Being ").append( i).append( "concatenated ").append( i).append( "using ").append( i).append( "String").append( i).append( "Builder").toString();
  The above was the compile time optimization I was talking about.What makes you think that the decompiler is not the problem?
  The ONLY difference between 1.5 and 1.4 in that case is that one uses StringBuilder and one uses StringBuffer. And StringBuffer is faster.
  Just wanted to know, are there any other differences in compile time optimizations between 1.4 and 1.5.I suggest that you go look at the read me. And I also suggest that you become familar with byte codes and stop assuming that a decompiler is going to tell you anything.

• JCE: jurisdiction policy files

  Hello, I am new to this forum and my English is not very well. I have the following problem. I wish to use unlimited cryptography within an applet. I know, if I want to use unlimited crypto I have to install the unlimited jurisdiction policy files. Because mostly the JRE is installed under c:\programm files, where a normal user would not have the right to write, it is not very convenient to ask an admin for every workstation to install the unlimited jurisdiction policy files. Is there anyway to use unlimited crypto without touching the clients JRE?!?!
  Is it possible to install the unlimited jurisdiction policy files in another location on client at runtime???
  Maybe I can use an alternate JCE (BC or GNU)? But how? I think I can not install a new javax.crypto* from an applet? Maybe it�s possible to user another packet name?
  Or is it possible to use the cipher functionality of a provider outside the JCE?
  Have somebody had the same problem before? Any answer is very welcome!
  Regards from Berlin!

  If it could be done, it would be a serious security bug. Normal users cannot remove or change that file at all under Windows, only power users or admins can do that. An applet can have access to a file, but only if it gets permission to do so (e.g. by being signed by a trusted source, or by being accepted by the user). But to do something with this particular file, an admin should be starting up the browser really.

• API method to check unlimited strength cryptography

  Hi,
  Is there any API available to check whether user has installed the unlimited strength cryptography files?
  Regards,
  Efby.

  Not directly. Indirectly you can try to generate 2048bits RSA key.

• Java Kernel and the "Unlimited Strength Java Crypto Extension Policy Files"

  Is Java Kernel able to download and install on-demand the "Unlimited Strength Java(TM) Cryptography Extension Policy Files"?
  Currently, I have to instruct the users of my applications to download those policy files from Sun's website and follow the installation instruction. I haven't received any positive feedback from my users when I told them to do this task. I understand them. Manual installation of this files really suck especially for lay men.
  So, with Java Kernel, what's the plan? Can I hope for something better?

  I believe, for US export-control reasons, the Unlimited Strength JCE policy files are never automatically downloadable by the JVM - they have to be explicitly downloaded and configured. However, you could download it yourself, configure the JVM with the policy files, create your own ZIP/JAR file and internally distribute it to your users through your intranet. But, if you do this, you are responsible for complying with the applicable export laws of your country, and perhaps, Sun licensing terms for redistributing the JVM.

• Software distribution and Unlimited Strength Jurisdiction Policy Files

  I suppose, I'm NOT allowed to ship the Unlimited Strength Jurisdiction Policy Files (USJPF) with my application,
  even if living in Germany and not selling abroad, right?
  So I see 2 possibilities:
  - Use weaker encryption by default and encourage the users to download the USJPF by themself.
  - Implement a stronger encryption on the base of the weaker one by encrypting several times, let say in the way 3DES works.
  I'm quite sure, I'm not the only one facing such a problem, how do you solve it?

  The export of cryptography is usually contingent on the laws of the country that you live in. As a US citizen, I know that I cannot ship unlimited strength cryptography to specific countries without a permit. You should check what German law allows you to do (I was under the impression that Germany did not have such controls, but that impression could be dated) and read the license accompanying the USJPF in Germany, to see what restrictions are placed on it.
  Another option is to use a provider fhat is developed outside the US. I know that BouncyCastle is developed in Australia, so the US restrictions would not apply to them. Have you checked their licensing agreement to see what you're allowed to do with their provider files?

• Replace the JCE Unlimited Strength Jurisdiction Policy files - SAP JVM 5

  Hi Experts,
  I had a NetWeaver 7.1 system with SAP JVM 5. I tried to run a cryptography software on the system, but the current JCE Unlimited Strength Jurisdiction Policy files of the JVM limited encryption algorithms and key lengths.
  I downloaded the jce_policy-1_5_0.zip file from the Sun website, unzipped it, replaced the old policy files (sapjvm_5/jre/lib/security/local_policy.jar and sapjvm_5/jre/lib/security/US_export_policy.jar) with the new ones, then restarted the server. But, after the server was restarted, the new policy files were deleted and the old ones were restored.
  Could you tell me what should I do to apply the new policy files?
  Thanks in advance.
  Victor

  Issue Resolved..with help of OSS note :739043
  EP 6.0 SP15.... I had same issue for Portal prodution:
  I had  copied new files (local_policy.jar and US_export_policy.jar) in directory /opt/java1.4/jre/lib/security
  Jun 16  2003 local_policy.jar
  -rw-rr   1 root       sys           4355 Jun 16  2003 US_export_policy.jar
  -rw-rr   1 root       sys           2910 Aug  2  2007 local_policy.1.jar
  -rw-rr   1 root       sys           2429 Aug  2  2007 US_export_policy.1.jar
  -rrr--   1 bin        bin           2910 Dec 12 10:14 local_policy.2.jar
  -rrr--   1 bin        bin           2429 Dec 12 10:14 US_export_policy.2.jar
  -rrr--   1 bin        bin           2223 Dec 12 10:25 java.policy
  -rrr--   1 bin        bin           6871 Dec 12 10:25 java.security
  -rrr--   1 bin        bin          41278 Dec 12 10:25 cacerts
  Thanks,
  Hari

• Java: Where are JCE Unlimited Strength Jurisdiction Policy Files for Java for Mac OS X 10.7?

  I need to install the JCE Unlimited Strength Jurisdiction Policy Files for Java 1.6 under Mac OS X 10.7.  I know where to get then from the Sun/Oracle Java download site, but want to make sure that these will work on the Mac.  Or, are there Mac specific versions somewhere?

  There's a  jce.jar file in /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/, so it appears that they're already in place, but that's just a WAG.

• Override JCE default (limited strength) jurisdiction policy files

  Hi!
  I am writing an applet, which has to decrypt encrpyted file with some simetric algorithm, e.g. PBEWithMD5AndTripleDes. Due llimitations of key lengths in default (limited strength) jurisdiction policy files for JCE I cannot use for example TripleDES with 168 bit key or. Blowfish with 400 bit key.
  I know I can obtain Unlimited version of these files from java.sun.com and replace this files in JDK/JRE installation directory. That's ok for us at server side, but disaster at client (applet) side, because we must modify installation of JRE on every computer where user want to use applet and update it every time when JRE is being updated.
  So me question is: is there any way to distribute unlimited jurisdiction files with an applet (I know how to include *.jar files) and make it work? For example via endorsed mechanism, setting some security property, reloading JCE?
  Thanks for help!

  You can't override them. Since the restriction apply only to the JCE, your best bet is to use the lightweight API from Bouncy Castle which does not use the JCE.

• Achieve Unlimited Strength Jurisdiction without modifying JDK files?

  I have a requirement in my application to use Unlimited Strength Jurisdiction. So I downloaded and extracted the JCE files and placed them in $JAVA_HOME/jre/lib/security overriding the existing jars. This works perfectly fine for me.
  My question is; is there some way of installing the new policy files without having to override the files in the JDK. Ideally, I would like to set a system property to point to a different directory which includes the new policy files and not have to touch my jdk files. Is this possible?
  Thanks in advance.

  It cannot be done. You could always use the lightweight Bouncy Castle API that does not have the key size restrictions.

• Can using BouncyCastle be an alternative to installing the policy files?

  Hey, sorry if this is a dumb question but I have been looking into this all day.
  I want to write a program that incorporates unlimited strength encryption, but installing the JCE Unlimited Strength Jurisdiction Policy Files is not an option (I can do it on one of the development machines, but I don't have write access to JAVAHOME on the other, and I can't expect every user of the program to install these files).
  Now I know that if I specify BouncyCastle as a provider when using JCE, I still have to install the above files... but what if I don't use JCE and I use the algorithms provided (handily without any form of documentation whatsoever) by BouncyCastle - can this be a workaround? I've heard conflicting views on this.
  If this isn't the case, can anyone please point me in the right direction of what I could do instead? Ie. if there was some way to include these files in the classpath rather than actually install them.
  Also, if using BC is a solution to problem, I would really appreciate it if anyone has such an example of AES-256 encryption and decryption with CBC and padding that they could point me in the direction of, I am having a real issue figuring out the BC API.
  Thank-you so much if you can help me.

  As long as you use the BouncyCastle lightweight crypto API rather than the JCE you should not encounter any of the JCE's restrictions. This means you cannot use Cipher.getInstance("Whatever/ABCCBC/TooMuchPadding", "BC"). Just include the lightweight api jar in your class path; the source is here: http://www.bouncycastle.org/download/lcrypto-jdk1<whatever>-139.zip
  I haven't played with bouncycastle in awhile, but I think something like this will get you started:
  BlockCipher aes = new AESEngine();
  CBCBlockCipher aes_cbc = new CBCBlockCipher(aes);
  byte [] key = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}; // 16 bytes for AES-128
  CipherParameters params = new KeyParameter(key);
  aes_cbc.init(true, params);
  //...

• Unable to locate unrestricted policy files for the Sun JCE for download

  My platform:
  java version "1.6.0_26"
  Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
  Oracle JRockit(R) (build R28.1.4-7-144370-1.6.0_26-20110617-2130-windows-x86_64, compiled mode)
  I am unable to locate the Unlimited Strength Jurisdiction JCE files.
  According to BouncyCastle for Java 1.6:
  ..."you must download the unrestricted policy files for the Sun JCE if you want the provider to work properly. The policy files can be found at the same place as the JDK download. Further information on this can be found in the Sun documentation on the JCE."

  The version at the very bottom of http://www.oracle.com/technetwork/java/javase/downloads/index.html should work.

• JCE Unlimited Strength 11gR2 problem

  We download the unlimited strength JCE policy files (Java 1.5) and replaced local_policy.jar and US_export_policy.jar in javavm but no change in our error.
  we did not find useful and exact solution for 11g, need extra steps? thanks.

  we allocated the problem, we use BouncyCastle in database with loadjar and Oracle does not find the BC, error is
  KeyGenerator not available
  what is the solution? or a bug?