Security Top

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:


1. Overview

In this tutorial, we'll learn why the Java Cryptography Extension (JCE) unlimited strength policy files are not always enabled by default. Additionally, we'll explain how to check the cryptographic strength. Afterward, we'll show how to enable unlimited cryptography in different versions of Java.

2. JCE Unlimited Strength Policy Files

Let's understand what cryptographic strength means. It is defined by the difficulty of discovering the key, which depends on the used cipher and length of the key. In general, a longer key provides stronger encryption. The limited cryptographic strength uses a maximum 128-bit key. On the other hand, the unlimited one uses a key of maximum length 2147483647 bits.

As we know, the JRE contains encryption functionality itself. The JCE uses jurisdiction policy files to control the cryptographic strength. Policy files consist of two jars: local_policy.jar and US_export_policy.jar. Thanks to that, the Java platform has built-in control of cryptographic strength.

3. Why Aren't the JCE Unlimited Strength Policy Files Included by Default

Firstly, only the older versions of the JRE do not include the unlimited strength policy files. The JRE versions 8u151 and earlier bundle only limited policy files. In contrast, starting from Java version 8u151 unlimited and limited policy files are provided with the JRE. The reason is straightforward, some countries require restricted cryptographic strengths. In case the law of a country allows unlimited cryptographic strength, it is possible to bundle or enable it depending on the Java version.

4. How to Check the Cryptographic Strength

Let's have a look at how to check cryptographic strength. We can do it by checking the maximum allowed key length:

int maxKeySize = javax.crypto.Cipher.getMaxAllowedKeyLength("AES");

It returns 128, in case of limited policy files. On the other hand, in case it returns 2147483647 then the JCE uses unlimited policy files.

5. Where Are the Policy Files Located

Java versions 8u151 and earlier contain the policy files in JAVA_HOME/jre/lib/security directory.

Starting from version 8u151, the JRE provides different sets of policy files.  As a result, in the JRE directory JAVA_HOME/jre/lib/security/policy there are 2 subdirectories: limited and unlimited. The first one contains limited strength policy files. The second one contains unlimited ones.

6. How to Enable Unlimited Strength Cryptography

Let's now have a look at how we can enable maximum cryptographic strength. There are different ways how to do it depending on the version of Java we are using.

6.1. Handling Before Java Version 8u151

Before version 8u151 the JRE contains only limited strength policy files. We have to replace it with an unlimited version from the Oracle site.

First, we download files for Java 8, which are available here. Next, we unpack the downloaded package, which contains local_policy.jar and US_export_policy.jar.

Finally, we copy these files to JAVA_HOME/jre/lib/security.

6.2. Handling After Java Version 8u151

In Java versions 8u151 and higher, the JCE framework uses the unlimited strength policy files by default. Furthermore, in case we want to define which version to use, there is a security property crypto.policy:

Security.setProperty("crypto.policy", "unlimited");

We must set the property before the JCE framework initialization. It defines a directory under JAVA_HOME/jre/lib/security/policy for policy files.

Firstly, when the security property is unset, the framework checks the legacy location JAVA_HOME/jre/lib/security for policy files. Although, by default in new versions of Java, there are no policy files in the legacy location. The JCE checks it as the first one to be compatible with old versions.

Secondly, if the jar files are not present in the legacy location and the property is not defined, then the JRE by default uses the unlimited policy files.

7. Conclusion

In this short article, we learned about the JCE unlimited strength policy files. Firstly, we looked at why unlimited cryptographic strength is not enabled by default in older versions of Java. Next, we learned how to determine cryptographic strength by checking the maximum key length. Finally, we saw how to enable it in different versions of Java.

As always, the source code of the example is available over on GitHub.

Security bottom

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security 5:

Security footer banner
Comments are closed on this article!