Java 安全性:非法密钥大小或默认参数?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6481627/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java Security: Illegal key size or default parameters?
提问by Rihards
I had asked a question about this earlier, but it didn't get answered right and led nowhere.
我之前问过一个关于这个的问题,但它没有得到正确的回答并且一无所获。
So I've clarified few details on the problem and I would really like to hear your ideas on how could I fix this or what should I try.
所以我澄清了一些关于这个问题的细节,我真的很想听听你的想法,我该如何解决这个问题或我应该尝试什么。
I have Java 1.6.0.12installed on my Linux server and the code below runs just perfectly.
我的Linux 服务器上安装了Java 1.6.0.12,下面的代码运行得很好。
String key = "av45k1pfb024xa3bl359vsb4esortvks74sksr5oy4s5serondry84jsrryuhsr5ys49y5seri5shrdliheuirdygliurguiy5ru";
try {
Cipher c = Cipher.getInstance("ARCFOUR");
SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "ARCFOUR");
c.init(Cipher.DECRYPT_MODE, secretKeySpec);
return new String(c.doFinal(Hex.decodeHex(data.toCharArray())), "UTF-8");
} catch (InvalidKeyException e) {
throw new CryptoException(e);
}
Today I installed Java 1.6.0.26on my server user and when I try to run my application, I get the following exception. My guess would be that it has something to do with the Java installation configuration because it works in the first one, but doesn't work in the later version.
今天,我在我的服务器用户上安装了Java 1.6.0.26,当我尝试运行我的应用程序时,出现以下异常。我的猜测是它与 Java 安装配置有关,因为它在第一个版本中有效,但在更高版本中无效。
Caused by: java.security.InvalidKeyException: Illegal key size or default parameters
at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
at javax.crypto.Cipher.init(DashoA13*..) ~[na:1.6]
at javax.crypto.Cipher.init(DashoA13*..) ~[na:1.6]
at my.package.Something.decode(RC4Decoder.java:25) ~[my.package.jar:na]
... 5 common frames omitted
Line 25is:
c.init(Cipher.DECRYPT_MODE, secretKeySpec);
第 25 行是:
c.init(Cipher.DECRYPT_MODE, secretKeySpec);
Notes:
* java.security on server's 1.6.0.12java directory matches almost completely with the 1.6.0.26java.security file. There are no additional providers in the first one.
* The previous question is here.
注意:
* 服务器的1.6.0.12java 目录上的java.security与1.6.0.26java.security 文件几乎完全匹配。第一个没有额外的提供者。
* 上一个问题在这里。
采纳答案by James Black
Most likely you don't have the unlimited strength file installed now.
您现在很可能没有安装无限强度文件。
You may need to download this file:
您可能需要下载此文件:
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 下载
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download(only required for versions before Java 8 u162)
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 下载(仅 Java 8 u162 之前的版本需要)
Extract the jar files from the zip and save them in ${java.home}/jre/lib/security/.
从 zip 中提取 jar 文件并将它们保存在${java.home}/jre/lib/security/.
回答by RHSeeger
There's a short discussion of what appears to be this issue here. The page it links toappears to be gone, but one of the responses might be what you need:
还有的似乎是这个问题的一个简短的讨论在这里。它链接到的页面似乎已经消失,但其中一个响应可能是您需要的:
Indeed, copying US_export_policy.jar and local_policy.jar from core/lib/jce to $JAVA_HOME/jre/lib/security helped. Thanks.
实际上,将 US_export_policy.jar 和 local_policy.jar 从 core/lib/jce 复制到 $JAVA_HOME/jre/lib/security 有帮助。谢谢。
回答by Dev G
I also got the issue but after replacing existing one with the downloaded (from JCE) one resolved the issue. New crypto files provided unlimited strength.
我也遇到了这个问题,但是在用下载的(从 JCE)替换现有的一个之后解决了这个问题。新的加密文件提供了无限的力量。
回答by evanxsummers
"Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6"
“Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6”
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
回答by Brian Bowman
I experienced the same error while using Windows 7 x64, Eclipse, and JDK 1.6.0_30. In the JDK installation folder there is a jrefolder. This threw me off at first as I was adding the aforementioned jars to the JDK's lib/security folder with no luck. Full path:
我在使用 Windows 7 x64、Eclipse 和 JDK 1.6.0_30 时遇到了同样的错误。在JDK安装文件夹中有一个jre文件夹。这让我一开始很失望,因为我在没有运气的情况下将上述 jars 添加到 JDK 的 lib/security 文件夹中。完整路径:
C:\Program Files\Java\jdk1.6.0_30\jre\lib\security
Download and extract the files contained in the jcefolder of this archiveinto that folder.
回答by C Deepak
For JAVA 7 the download link is jce-7-download
对于 JAVA 7,下载链接是jce-7-download
Copy the two downloaded jars in Java\jdk1.7.0_10\jre\lib\security
Take a backup of older jars to be on safer side.
将下载的两个 jar 复制到 Java\jdk1.7.0_10\jre\lib\security
备份旧的 jar 以确保安全。
For JAVA 8 the download link is jce-8-download
Copy the downloaded jars in Java\jdk1.8.0_45\jre\lib\security
Take a backup of older jars to be on safer side.
对于 JAVA 8,下载链接是jce-8-download
将下载的 jar 复制到 Java\jdk1.8.0_45\jre\lib\security
备份旧的 jar 以确保安全。
回答by Saad Malik
The JRE/JDK/Java 8 jurisdiction files can be found here:
JRE/JDK/Java 8 权限文件可以在这里找到:
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download
Java 加密扩展 (JCE) 无限强度管辖权政策文件 8 下载
Like James said above:
Install the files in ${java.home}/jre/lib/security/.
就像詹姆斯上面说的:
将文件安装在${java.home}/jre/lib/security/.
回答by max
the problem is the contentof the file default_local.policyin local_policy.jarin the folder jre\lib\security, if you install the JRE:
问题是文件夹jre\lib\security中local_policy.jar中文件default_local.policy的内容,如果您安装 JRE:
// Some countries have import limits on crypto strength. This policy file
// is worldwide importable.
grant {
permission javax.crypto.CryptoPermission "DES", 64;
permission javax.crypto.CryptoPermission "DESede", *;
permission javax.crypto.CryptoPermission "RC2", 128,
"javax.crypto.spec.RC2ParameterSpec", 128;
permission javax.crypto.CryptoPermission "RC4", 128;
permission javax.crypto.CryptoPermission "RC5", 128,
"javax.crypto.spec.RC5ParameterSpec", *, 12, *;
permission javax.crypto.CryptoPermission "RSA", *;
permission javax.crypto.CryptoPermission *, 128;
};
if you do not need worldwide valid settings you simply can edit this file and change the content to
如果您不需要全球有效的设置,您只需编辑此文件并将内容更改为
// Country-specific policy file for countries with no limits on crypto strength.
grant {
// There is no restriction to any algorithms.
permission javax.crypto.CryptoAllPermission;
};
this is what get if you download the JCE from Oracle.
如果您从 Oracle 下载 JCE,这就是结果。
回答by Ketan Vishwakarma
In Java, by default AES supports a 128 Bit key, if you plans to use 192 Bit or 256 Bit key, java complier will throw Illegal key size Exception, which you are getting.
在 Java 中,默认情况下 AES 支持 128 位密钥,如果您计划使用 192 位或 256 位密钥,java 编译器将抛出 Illegal key size Exception,这是您得到的。
The solution is as victor & James suggested, you will need to download JCE (Java Cryptography Extension) as per your JRE version,(java6, java7 or java8).
解决方案是 victor & James 建议的,您需要根据您的 JRE 版本(java6、java7 或 java8)下载 JCE(Java 加密扩展)。
The JCE zip contains following JAR:
JCE zip 包含以下 JAR:
- local_policy.jar
- US_export_policy.jar
- local_policy.jar
- US_export_policy.jar
You need to replace these jar form your <JAVA_HOME>/jre/lib/security.
if you are on a unix system the will probably refer to /home/urs/usr/lib/jvm/java-<version>-oracle/
您需要将这些 jar 从您的<JAVA_HOME>/jre/lib/security. 如果您使用的是 unix 系统,则可能会参考/home/urs/usr/lib/jvm/java-<version>-oracle/
Sometimes just replacing local_policy.jar, US_export_policy.jar in security folder doesn't work on unix, so I suggest to copy security folder to your desktop first, replace the jar's @Desktop/security folder, delete the security folder from /jre/lib/ & move the Desktop security folder to /jre/lib/.
有时只替换local_policy.jar、security文件夹中的US_export_policy.jar在unix下是不行的,所以建议先把security文件夹复制到桌面,替换jar的@Desktop/security文件夹,从/jre/lib中删除security文件夹/ & 将桌面安全文件夹移动到 /jre/lib/。
eg :: sudo mv security /usr/lib/jvm/java-7-oracle/jre/lib
例如:: sudo mv 安全 /usr/lib/jvm/java-7-oracle/jre/lib
回答by keaplogik
By default, Java only supports AES 128 bit (16 bytes) key sizes for encryption. If you do not need more than default supported, you can trim the key to the proper size before using Cipher. See javadocfor default supported keys.
默认情况下,Java 仅支持 AES 128 位(16 字节)密钥大小进行加密。如果您不需要超过默认支持,您可以在使用Cipher. 有关默认支持的密钥,请参阅javadoc。
This is an example of generating a key that would work with any JVM version without modifying the policy files. Use at your own discretion.
这是一个生成可用于任何 JVM 版本而无需修改策略文件的密钥的示例。自行决定使用。
Here is a good article on whether key 128 to 256 key sizes matter on AgileBits Blog
这是一篇关于 128 到 256 密钥大小是否重要的好文章AgileBits 博客
SecretKeySpec getKey() {
final pass = "47e7717f0f37ee72cb226278279aebef".getBytes("UTF-8");
final sha = MessageDigest.getInstance("SHA-256");
def key = sha.digest(pass);
// use only first 128 bit (16 bytes). By default Java only supports AES 128 bit key sizes for encryption.
// Updated jvm policies are required for 256 bit.
key = Arrays.copyOf(key, 16);
return new SecretKeySpec(key, AES);
}
