Reputation: 2360
javax.crypto is subject to export controls; what does that mean?
According to http://docs.oracle.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html:
For historical (export control) reasons, the cryptography APIs are organized into two distinct packages. The
java.securitypackage contains classes that are not subject to export controls (likeSignatureandMessageDigest). Thejavax.cryptopackage contains classes that are subject to export controls (likeCipherandKeyAgreement).
What does this mean?
What is the difference?
Note: This document reference is quoted in Java EE doc in security section >> http://docs.oracle.com/javaee/6/tutorial/doc/bnbwj.html | is this ref outdated ?
Upvotes: 8
Views: 2010
Answers (1)
Reputation: 310957
The first thing to note is that the text you quoted starts 'for historic reasons'.
The USA had export controls over some cryptographic algorithms and implementations above certain key lengths. They were mostly dropped during the Clinton administration: certainly those that affected Java. Any reference you read to them in reference to Java cryptography is obsolete.
Java is however affected by crypto import policies, and that's why the Unlimited Strength Crypto Policy download exists. If it's legal in your jurisdiction, you can download and install it. All it does is enable code that is already present in the JRE and which therefore has already been exported. QED
Upvotes: 7
Related Questions
- JDK 11 issue with javax.crypto.JceSecurity
- Crypto provider in JDK
- Refer java security policies externally
- javax.crypto JDK source code, again
- Exporting/Import Encrypted Code Java
- javax.crypto in Java 8u20
- Does X lang have security?
- Exporting Java Program that uses Unlimited JCE Policy (Encryption)
- How secure is javax.crypto.Cipher?
- javax.crypto des sbox