问题
The project I am working on has a segment which requires AES encryption and decryption. From all the possible internet source that I could look up, it was hard to find any reference to AES256 encryption without having to download and install the Unlimited Strength JCE files from Sun's (now Oracle's website). Besides whatever legal issues that exist with the distribution of the same, it is not helping us very practically when it comes to asking an end user to visit a particular website and download some files, put them in a directory and then add things to classpath if on Windows etc!
There were some references on the internet to BountyCastle's lightweight API which possibly didn't require the JCE files, but I couldn't look up a very relevant reference or example which demonstrated it.
Not sure, but is this a problem with every other programming language?
If it is not possible to have AES 256 bit encryption without those having those particular JCE files installed, then can the JNI approach help?
To elaborate a bit, can AES 256 encryption be done in C/C++ and then can I call those using JNI to have the desired results? Would packaging the software (as a jar file) be a cause of concern, or can there be other issues?
Another important factor that comes into play is that the project would be run both of Mac and Windows, so can be be limitations using C/C++ (specific compiler/interpreter versions or anything)?
Is there a different way to handle this? Any other approach(es)?
回答1:
The key size restrictions are implemented in the Cipher class of Java. It is possible to use any other class that implements AES to get AES-256 functionality. For instance, it is possible to use the "lightweight" API of Bouncy Castle to use key sizes of any strength. In that case you can e.g. use org.bouncycastle.crypto.engines.AESFastEngine directly (and a mode and a padding of your choice. It is still possible to use the normal .jar for Bouncy Castle, but you won't be using the JCA functionality of the BouncyCastle provider.
This has some disadvantages and advantages. The lightweight Bouncy Castle API is somewhat lower level to the JCA functionality added to the Sun classes by the "BC" provider. Furthermore, a lot of components (such as the SSL layer within Java, JSSE, or the XML encryption libraries) use the JCA to supply the required cryptographic functionality. The libraries that require JCA functionality will still be limited to restricted key sizes.
Note that using other providers won't work, as the Cipher class itself checks for the key size. The CipherSpi implementation classes that may be contained within a JCA provider cannot (positively) influence the allowed key sizes. You can only directly use the implementation classes.
回答2:
First of all, no it is not a problem with every programming environment. OpenSSL which is written in C has support for large keys for example. From experience with both JCE and JNI I would however suggest that you find a way to use pure Java instead of loading a native library through JNI. It is just a lot easier.
A practical solution: Is your application installed using some kind of installer application during installation? If so, then one solution could be to use this installer to also install JCE.
BouncyCastle unfortunately also uses JCE as stated in their FAQ.
UPDATE 1: I found this library which might be what you are looking for. It doesn't seem to be maintained any longer however: http://www.cryptix.org/
UPDATE 2: GNU has a library which implements AES256: http://www.gnu.org/software/gnu-crypto/ . More on the available ciphers here: http://www.gnu.org/software/gnu-crypto/manual/Ciphers.html
Code example using GNU-Crypto given that you already have your key loaded in key_bytes:
IBlockCipher cipher = CipherFactory.getInstance("AES");
Map attributes = new HashMap();
attributes.put(IBlockCipher.CIPHER_BLOCK_SIZE, new Integer(16));
attributes.put(IBlockCipher.KEY_MATERIAL, key_bytes);
cipher.init(attributes);
int bs = cipher.currentBlockSize();
for (int i = 0; i + bs < pt.length; i += bs)
{
cipher.encryptBlock(pt, i, ct, i);
}
for (int i = 0; i + bs < cpt.length; i += bs)
{
cipher.decryptBlock(ct, i, cpt, i);
}
Please insure that you use a cryptographically secure random number generator such as SecureRandom to create your 256 bytes for the key:
byte[] seed = xxx; // Be sure to get a good new seed on every client machine.
SecureRandom random = new SecureRandom(seed);
byte[] key_bytes = new byte[256];
random.nextBytes(key_bytes);
来源:https://stackoverflow.com/questions/15551158/is-aes256-encryption-decryption-possible-in-java-without-unlimited-strength-jce