Re: TLS problems
According to Lew <noone@lewscanon.com>:
Point being that they have to comply with the law. This is explained
in the README.txt file that comes with the stronger policy files.
The oddity lies in the apparent uselessness of the "stronger policy
files" since the plain JDK _already_ comes with the ability to use
arbitrary key lengths with RSA. Installing the "stronger policy files"
looks like just a convoluted way of doing nothing at all.
For instance, download a plain JDK-1.6.0_14 from Sun, preferably from
a machine which is located outside of the US, in case Sun would
automatically alter the downloaded file based on the country from which
the request comes. Then run the following program:
// ========================================================================
import java.security.interfaces.*;
import javax.crypto.*;
public class TestRSA {
public static void main(String[] args)
throws Exception
{
KeyPairGenerator kpgen =
KeyPairGenerator.getInstance("RSA");
kpgen.initialize(2048);
KeyPair kp = kpgen.genKeyPair();
PublicKey pk = kp.getPublic();
PrivateKey sk = kp.getPrivate();
System.out.printf("got RSA key, length=%d\n",
((RSAPrivateCrtKey)sk).getModulus().bitLength());
Cipher menc = Cipher.getInstance("RSA/ECB/PKCS1Padding");
menc.init(Cipher.ENCRYPT_MODE, pk);
menc.update("Hello World !".getBytes("UTF-8"));
byte[] ct = menc.doFinal();
Cipher mdec = Cipher.getInstance("RSA/ECB/PKCS1Padding");
mdec.init(Cipher.DECRYPT_MODE, sk);
mdec.update(ct);
byte[] pt = mdec.doFinal();
System.out.printf("plaintext = '%s'\n",
new String(pt, "UTF-8"));
}
}
// ========================================================================
That program generates a 2048-bit RSA key pair, encrypts a message with
the public key, then decrypts it with the private key. I tried this on a
plain JDK-1.6.0_14, newly downloaded from Sun's website from a machine
located in France (i.e. really outside of the US, and, I daresay, "more"
outside than, say, Canada or Mexico). The program above runs like a
charm.
However, the "stronger policy files" do have an effect, not on asymmetric
algorithms such as RSA, but on symmetric encryption algorithms. For
instance, with the newly downloaded JDK, one can encrypt symmetrically
with AES and a 128-bit key, but _not_ with a 192-bit of 256-bit key.
Installing the "stronger policy files" unlocks those extra key lengths.
This is still an oddity, since AES with a 128-bit key is already as
strong as one could wish (i.e. it is far advanced in the realm of
"mankind cannot break it now nor in the foreseeable future" in which
strength distinctions about key lengths are somewhat difficult to merely
define, let alone measure). Yet, this is not an oddity of Sun, rather an
oddity of the law (and, as far as I can see, this is not a US-only
oddity either). Speaking of which, the mere existence of three standard
key lengths for AES (128, 192 and 256 bits) is in itself an oddity which
stems from some US (military) regulatory requirements, which call for
three "distinct" levels of protection, under the assumption that a truly
unbreakable algorithm is necessarily expensive, and thus a relaxed mode
is called for (that assumption originates from the 1930s, before the
invention of the computer, but outdate military regulations are quite
hard to kill). Since 128 bits already provide unbreakable encryption
(with regards to nowadays technology), longer keys are not needed, but
they do exist, and they are import/export-regulated.
For much information on the laws about cryptography in various
countries, see:
http://rechten.uvt.nl/koops/cryptolaw/
For export from the United States, key lengths and algorithms are
unlimited, except that the US governments insists on a "technical
review" which is limited in time (basically, the US government wishes to
remain aware of what cryptographic tools exist and cross borders). Also,
there are special (and drastic) restrictions when the export is towards
one of the following seven countries: Cuba, Iran, Iraq, Libya, North
Korea, Sudan, and Syria (note that the list of "terrorist countries"
includes Iraq but not Afghanistan). Import laws of some countries
(for instance France) apply some restrictions on the import of
symmetric keys longer than 128 bits.
In Sun's JDK, lookup the contents of the jre/lib/security/local_policy.jar
and jre/lib/security/US_export_policy.jar files. These files define
the rules that Sun's JCE provider follows; these are the files that
the "stronger policy files" (jce_policy-6.zip) replace. In particular,
the "local_policy.jar" contains this file:
// Some countries have import limits on crypto strength. This policy file is worldwide importable.
grant {
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
"javax.crypto.spec.RC2ParameterSpec", 128;
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", *;
permission javax.crypto.CryptoPermission *, 128;
};
whereas the "stronger" file of the same name contains:
// Country-specific policy file for countries with no limits on crypto strength.
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;
};
which explains the differences. The standard, exportable JDK supports
key lengths up to 128 bits for encryption systems, except for RSA, which
is unlimited, and DES/Triple-DES, which have their own specific twists.
Note that this is only for encryption, _not_ signature, integrity check
or key agreement. In particular, Diffie-Hellman is unlimited in length,
as far as both cryptographic laws and policy files are concerned. The
limitation of Sun's JCE provider with regards to Diffie-Hellman is
internal to the code, and not an application of a law-constrained
policy.
--Thomas Pornin