Java Security: SunJSSE and TLSAES

TLSAES defines AES ciphersuites for TLS, and from TLS version 1.1, the AES cipher suites are merged in TLS specification. The AES supports key lengths of 128, 192 and 256 bits.  However, the TLSAES specification only defines ciphersuites for 128 and 256 bits keys.
In Java security context, there is a important concept, "jurisdiction policy". The JCA framework includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applets/applications in different jurisdiction contexts (locations). Any such restrictions are specified in "jurisdiction policy files".

Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the JDK from Sun Microsystems specify that "strong" but limited cryptography may be used. An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCA framework will enforce the restrictions specified in the installed jurisdiction policy files. 

According to the default jurisdiction policy, AES_128 is the "strong" cryptography, but AES_256 is one of "unlimited strength" cryptographies, which means that AES_256 cannot be used with the default installed JDK jurisdiction policy files.

From JDK1.4.2, the SunJSSE provider supports a number of AES_128 and AES_256 cipher suites. In 1.4.2, AES_256 cipher suites were not enabled, even if the unlimited strength JCE jurisdiction policy files were installed.  From J2SE 5.0, AES_256 cipher suites are enabled automatically if the unlimited strength JCE jurisdiction policy files are installed.

OK, then here comes the conclusion now:
  1. For JDK 1.4.2, one need to explicit set the AES cipher suites in the codes in order to get it enabled. 
  2. For AES_128 cipher suites, one can use it with the default installed JDK.
  3. TLS does not define AES_192 cipher suites.
  4. For AES_256 cipher suites, one need to use the "unlimited strength" jurisdiction policiy files.

For JDK 6, the "unlimited strength" jurisdiction policiy files could be downloaded from "Other Downloads" on, and there is a README file inside, which describe the export/import issues, and how to install the additional policies. Please DO read the export/import lines and make sure you are allowed to use those "unlimited strength" policies.

Linkage to the blog entry at blogs.Sun.COM

Popular posts from this blog

Java™ SE 7 Release Security Enhancements - Weak Cryptography Control

JSSE Oracle Provider Preference of TLS Cipher Suites

JEP 114: TLS SNI Extension - Virtual Servers Dispatcher