1. Overview
1.概述
In this tutorial, we’ll learn why the Java Cryptography Extension (JCE) unlimited strength policy files are not always enabled by default. Additionally, we’ll explain how to check the cryptographic strength. Afterward, we’ll show how to enable unlimited cryptography in different versions of Java.
在本教程中,我们将了解为什么Java Cryptography Extension(JCE)无限强度策略文件在默认情况下不总是启用。此外,我们将解释如何检查加密强度。之后,我们将展示如何在不同版本的Java中启用无限加密技术。
2. JCE Unlimited Strength Policy Files
2.JCE无限强度的政策文件
Let’s understand what cryptographic strength means. It is defined by the difficulty of discovering the key, which depends on the used cipher and length of the key. In general, a longer key provides stronger encryption. The limited cryptographic strength uses a maximum 128-bit key. On the other hand, the unlimited one uses a key of maximum length 2147483647 bits.
让我们了解一下加密强度是什么意思。它是由发现密钥的难度来定义的,这取决于所使用的密钥和密钥的长度。一般来说,较长的密钥可以提供更强的加密功能。有限的加密强度使用最大128位的密钥。另一方面,无限的则使用最大长度为2147483647位的密钥。
As we know, the JRE contains encryption functionality itself. The JCE uses jurisdiction policy files to control the cryptographic strength. Policy files consist of two jars: local_policy.jar and US_export_policy.jar. Thanks to that, the Java platform has built-in control of cryptographic strength.
正如我们所知,JRE本身就包含加密功能。JCE使用管辖策略文件来控制加密强度。策略文件由两个jar组成。local_policy.jar和US_export_policy.jar。得益于此,Java平台内置了对加密强度的控制。
3. Why Aren’t the JCE Unlimited Strength Policy Files Included by Default
3.为什么默认情况下不包括JCE的无限强度政策文件?
Firstly, only the older versions of the JRE do not include the unlimited strength policy files. The JRE versions 8u151 and earlier bundle only limited policy files. In contrast, starting from Java version 8u151 unlimited and limited policy files are provided with the JRE. The reason is straightforward, some countries require restricted cryptographic strengths. In case the law of a country allows unlimited cryptographic strength, it is possible to bundle or enable it depending on the Java version.
首先,只有较早版本的JRE不包括无限强度的策略文件。JRE 8u151和更早的版本只捆绑了有限的策略文件。相反,从Java版本8u151开始,JRE中提供了无限和有限的策略文件。原因很简单,一些国家要求限制的加密强度。如果一个国家的法律允许无限的加密强度,可以根据Java版本来捆绑或启用它。
4. How to Check the Cryptographic Strength
4.如何检查加密强度
Let’s have a look at how to check cryptographic strength. We can do it by checking the maximum allowed key length:
让我们来看看如何检查加密强度。我们可以通过检查允许的最大密钥长度来做到这一点。
int maxKeySize = javax.crypto.Cipher.getMaxAllowedKeyLength("AES");It returns 128, in case of limited policy files. On the other hand, in case it returns 2147483647 then the JCE uses unlimited policy files.
如果是有限的策略文件,它返回128。另一方面,如果它返回2147483647,则JCE使用无限的策略文件。
5. Where Are the Policy Files Located
5 政策文件位于何处
Java versions 8u151 and earlier contain the policy files in JAVA_HOME/jre/lib/security directory.
Java 8u151及以前的版本在JAVA_HOME/jre/lib/security目录下包含策略文件。
Starting from version 8u151, the JRE provides different sets of policy files. As a result, in the JRE directory JAVA_HOME/jre/lib/security/policy there are 2 subdirectories: limited and unlimited. The first one contains limited strength policy files. The second one contains unlimited ones.
从8u151版本开始,JRE提供了不同的策略文件集。因此,在JRE目录JAVA_HOME/jre/lib/security/policy中有两个子目录。limited和unlimited。第一个目录包含有限强度的策略文件。第二个包含无限的。
6. How to Enable Unlimited Strength Cryptography
6.如何启用无限强度的加密技术
Let’s now have a look at how we can enable maximum cryptographic strength. There are different ways how to do it depending on the version of Java we are using.
现在让我们来看看我们如何能够启用最大的加密强度。根据我们使用的Java版本,有不同的方法可以做到这一点。
6.1. Handling Before Java Version 8u151
6.1 Java版本8u151之前的处理方法
Before version 8u151 the JRE contains only limited strength policy files. We have to replace it with an unlimited version from the Oracle site.
在8u151版本之前,JRE只包含有限强度的策略文件。我们必须用Oracle网站上的无限版本来替换它。
First, we download files for Java 8, which are available here. Next, we unpack the downloaded package, which contains local_policy.jar and US_export_policy.jar.
首先,我们下载Java 8的文件,这些文件可以在这里找到。接下来,我们解压下载的软件包,其中包含local_policy.jar和US_export_policy.jar。
Finally, we copy these files to JAVA_HOME/jre/lib/security.
最后,我们将这些文件复制到JAVA_HOME/jre/lib/security.。
6.2. Handling After Java Version 8u151
6.2. Java版本8u151之后的处理
In Java versions 8u151 and higher, the JCE framework uses the unlimited strength policy files by default. Furthermore, in case we want to define which version to use, there is a security property crypto.policy:
在Java 8u151及以上版本中,JCE框架默认使用无限强度的策略文件。此外,如果我们想定义使用哪个版本,有一个安全属性crypto.policy:。
Security.setProperty("crypto.policy", "unlimited");We must set the property before the JCE framework initialization. It defines a directory under JAVA_HOME/jre/lib/security/policy for policy files.
我们必须在JCE框架初始化之前设置该属性。它在JAVA_HOME/jre/lib/security/policy下为策略文件定义了一个目录。
Firstly, when the security property is unset, the framework checks the legacy location JAVA_HOME/jre/lib/security for policy files. Although, by default in new versions of Java, there are no policy files in the legacy location. The JCE checks it as the first one to be compatible with old versions.
首先,当安全属性未设置时,框架会检查遗留位置JAVA_HOME/jre/lib/security 以寻找策略文件。尽管在新版本的Java中,默认情况下,遗留位置中没有策略文件。JCE将其作为第一个与旧版本兼容的位置来检查。
Secondly, if the jar files are not present in the legacy location and the property is not defined, then the JRE by default uses the unlimited policy files.
其次,如果jar文件不存在于遗留位置,并且没有定义该属性,那么JRE默认使用无限策略文件。
7. Conclusion
7.结语
In this short article, we learned about the JCE unlimited strength policy files. Firstly, we looked at why unlimited cryptographic strength is not enabled by default in older versions of Java. Next, we learned how to determine cryptographic strength by checking the maximum key length. Finally, we saw how to enable it in different versions of Java.
在这篇短文中,我们了解了JCE的无限强度策略文件。首先,我们研究了为什么在旧版本的Java中不默认启用无限加密强度。接下来,我们学习了如何通过检查最大密钥长度来确定加密强度。最后,我们看到如何在不同版本的Java中启用它。
As always, the source code of the example is available over on GitHub.
一如既往,该示例的源代码可在GitHub上获得over。