JCE policy changes in Java SE 8u151, 8u152 and 8u162

Published: October 21, 2017  •  Updated: January 17, 2018  •  java

Update January 16, 2018: Oracle released Java 8 u162. In this version the unlimited policy is enabled by default. You no longer need to install the policy file in the JRE or set the security property crypto.policy.

When you use the Java Cryptography extension (JCE), you maybe already know that the Java runtime out of the box enforces a limitation on certain key length parameters.

When you look at the following program that encrypts and decrypts a string with AES it works fine when you use a key length of 128 bits (keyGen.init(128, random);).

byte[] input = "My super secret text".getBytes();

SecureRandom random = SecureRandom.getInstanceStrong();
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(128, random);
SecretKey key = keyGen.generateKey();

Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "SunJCE");
byte[] iv = new byte[12];
GCMParameterSpec spec = new GCMParameterSpec(128, iv);
cipher.init(Cipher.ENCRYPT_MODE, key, spec);
byte[] cipherText = cipher.doFinal(input);

// Decrypt
cipher.init(Cipher.DECRYPT_MODE, key, spec);
byte[] plainText = cipher.doFinal(cipherText);
System.out.println(new String(plainText));

But when you change the key length to 192 (keyGen.init(192, random);) or 256 (keyGen.init(256, random);) bits the java runtime throws an exception:

Exception in thread "main" java.security.InvalidKeyException: Illegal key size

To solve that you have to go to this website, download the Unlimited Strength Jurisdiction Policy Files, unzip it, go to the <java-home>/lib/security directory and replace the two files local_policy.jar and US_export_policy.jar with the two files from the download.

With this change you can now use AES with key sizes 192 and 256 without an exception.

This behaviour changed in the u151 and u152 version of Java 8. Since this version it is no longer necessary to download the policy files from the Oracle website and install it. You can now set the unlimited policy directly in your application with this one liner:

Security.setProperty("crypto.policy", "unlimited");

Make sure that this code runs before the JCE framework has been initialized.

Alternatively you can set the unlimited policy in the <jre_home>/lib/security/java.security file without changing any application. Search for the line #crypto.policy=unlimited and remove the # character to uncomment it.

In the Java 9 runtime the policy is set to unlimited by default so you don't have to change anything or add any code to your program when you use the latest Java version.