Cipher.getMaxAllowedKeyLength("AES") returns 128, what does that mean if I want to do AES256

Question

I've been told to encrypt some form data (strings) using AES256 and was given a nice library which already does it all. I was just trying to make sure I understand it a bit better and learn a bit about encryption since it isn't something I am ever comfortable with. While doing that I ran a test I saw on some website, it said to call this Cipher.getMaxAllowedKeyLength("AES") which gives you the maximum key length. The result was 128.

Anyways the max allowed key length is 128, does that mean I can not use AES256? or are those unrelated?

EDIT: I should mention that I do know how to get the unlimited policy files to change this, I'm just trying to understand this whole deal better before proceeding.

Answer 1

For US export restriction reasons, Java ships with 128-bit security by default only. You need to download and install the Java Cryptography Extension if you want to work with 256-bit+ security.

Answer 2

The getMaxAllowedKeyLength() has been introduced just for this purpose, otherwise you would have to handle an exception during the Cipher encryption/decryption operations (update and doFinal) to test if the restrictions apply. As the policy files may change in time or for different versions of Java, it is easier to test with a method.

Note that getMaxAllowedKeyLength() should not be used for any other reason than testing for restrictions. Notably, it may well return Integer.MAX_VALUE instead of a valid key size.

And of course, if it returns 128 you cannot use AES with a key size of 256.

---

To remedy this you need to install the Unlimited Strength Jurisdiction Policy Files for the Oracle JRE / JDK and then copy it into the (jre)/lib/security folder of all the Java installations where you want to use larger key sizes. You can overwrite the files that are already there. You may need local admin rights or similar rights on that folder to do so.

If that is not possible you could use another implementation of AES that doesn't require the Cipher class as this class actually enforces the limitations. There are a few tricks around this issue as well.