Java: Patching client side security policy from applet for AES256
I require AES256 encryption/decryption in a commercial web application. Currently everything is good with a key size of 128. This is not satisfactory cryptographically so my
-
EDIT: Here's an updated answer to this question: How to avoid installing "Unlimited Strength" JCE policy files when deploying an application?
It is possible to disable the key size restrictions simply by using a few lines of reflection. We use this method in our program which needs access to 256-bit cryptography for interoperability purposes.
private static void removeCryptographyRestrictions() { if (!isRestrictedCryptography()) { return; } try { java.lang.reflect.Field isRestricted; try { final Class c = Class.forName("javax.crypto.JceSecurity"); isRestricted = c.getDeclaredField("isRestricted"); } catch (final ClassNotFoundException e) { try { // Java 6 has obfuscated JCE classes final Class c = Class.forName("javax.crypto.SunJCE_b"); isRestricted = c.getDeclaredField("g"); } catch (final ClassNotFoundException e2) { throw e; } } isRestricted.setAccessible(true); isRestricted.set(null, false); } catch (final Throwable e) { logger.log(Level.WARNING, "Failed to remove cryptography restrictions", e); } } private static boolean isRestrictedCryptography() { return "Java(TM) SE Runtime Environment" .equals(System.getProperty("java.runtime.name")); }However, our program is not an applet, and I am not sure whether applets have access to the reflection API.
The question about legality also remains. There is a reason for that limit. Consult a lawyer if you are concerned.
If possible, try to keep it to 128-bit keys. Even when taking Moore's law into consideration, breaking 128-bit AES would take billions upon billions of years. Longer keys offer no benefit in the real world – particularly when the keys are derived from passwords, which don't have anywhere near 256 bits of entropy anyway.
加载中...
- 热议问题