1. Problem.
In order to secure sensitive data such as card number, user account, email, etc..that meet PCI standard, people usually employe Advanced Encryption Standard – Symmetric Encryption Algorithms (Stalling, Cryptography and Network Security) to make the data safely.
AES was designed to be efficient in both hardware and software and supports a block length of 128bits and key lengths of 128,192 and 256 bits; 8 called AES-128, AES192 and AES-256 respectively. In production, key lengths of AES-256 is a good choice to make encryption strong enough. However, the JDK, by default supports 128 of MaxAllowKeyLenght. Therefore, the JDK should install JCE policy for large key lengths.
2. Solution.
Assume that the application runs on CentOS/RHEL 7 and JDK version 8 (for instance, jdk1.8.0_181)
2.1 Install Oracle JDK.
How to Install JAVA 8 on CentOS/RHEL 7/6 and Fedora 28-23 is a reference to install JDK.
Make sure Java installed successfully.
$ java -version # java version "1.8.0_181" # Java(TM) SE Runtime Environment (build 1.8.0_181-b13) # Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)
Find Java home directory. For example: /opt/jdk1.8.0_181
$ whereis java java: /usr/bin/java /usr/lib/java /etc/java /usr/share/java /opt/jdk1.8.0_181/bin/java
2.2 Install JCE.
By default, MaxAllowKeyLenght is 128 by checking the following code:
int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
System.out.println("MaxAllowedKeyLength=[" + maxKeyLen + "].");
If we try to different key size, a message error looks like:
java.security.InvalidKeyException: Invalid AES key length: 172 bytes
at com.sun.crypto.provider.AESCipher.engineGetKeySize(AESCipher.java:509)
at javax.crypto.Cipher.passCryptoPermCheck(Cipher.java:1067)
at javax.crypto.Cipher.checkCryptoPerm(Cipher.java:1038)
at javax.crypto.Cipher.implInit(Cipher.java:805)
at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
at javax.crypto.Cipher.init(Cipher.java:1396)
at javax.crypto.Cipher.init(Cipher.java:1327)
Download from Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8.
Extract the jar files from the zip and save them in ${java.home}/jre/lib/security/
$ cd UnlimitedJCEPolicyJDK8 3 $ ls - la # local_policy.jar # README.txt # US_export_policy.jar $ cp * /opt/jdk1.8.0_181/bin/java/jre/lib/security
All done and test AES again!
References:
- Using the Java Cryptographic Extensions.
- https://stackoverflow.com/questions/6481627/java-security-illegal-key-size-or-default-parameters
- https://medium.com/@danojadias/aes-256bit-encryption-decryption-and-storing-in-the-database-using-java-2ada3f2a0b14
- http://www.novixys.com/blog/java-aes-example/
- https://stackoverflow.com/questions/6729834/need-solution-for-wrong-iv-length-in-aes
- https://www.digicert.com/ssl-cryptography.htm