Is AES256 encryption decryption possible in Java without unlimited strength JCE files?

Question

The project I am working on has a segment which requires AES encryption and decryption. From all the possible internet source that I could look up, it was hard to find any reference to AES256 encryption without having to download and install the Unlimited Strength JCE files from Sun's (now Oracle's website). Besides whatever legal issues that exist with the distribution of the same, it is not helping us very practically when it comes to asking an end user to visit a particular website and download some files, put them in a directory and then add things to classpath if on Windows etc!

There were some references on the internet to BountyCastle's lightweight API which possibly didn't require the JCE files, but I couldn't look up a very relevant reference or example which demonstrated it.

Not sure, but is this a problem with every other programming language?

If it is not possible to have AES 256 bit encryption without those having those particular JCE files installed, then can the JNI approach help?

To elaborate a bit, can AES 256 encryption be done in C/C++ and then can I call those using JNI to have the desired results? Would packaging the software (as a jar file) be a cause of concern, or can there be other issues?

Another important factor that comes into play is that the project would be run both of Mac and Windows, so can be be limitations using C/C++ (specific compiler/interpreter versions or anything)?

Is there a different way to handle this? Any other approach(es)?

Answer 1

The key size restrictions are implemented in the Cipher class of Java. It is possible to use any other class that implements AES to get AES-256 functionality. For instance, it is possible to use the "lightweight" API of Bouncy Castle to use key sizes of any strength. In that case you can e.g. use org.bouncycastle.crypto.engines.AESFastEngine directly (and a mode and a padding of your choice. It is still possible to use the normal .jar for Bouncy Castle, but you won't be using the JCA functionality of the BouncyCastle provider.

This has some disadvantages and advantages. The lightweight Bouncy Castle API is somewhat lower level to the JCA functionality added to the Sun classes by the "BC" provider. Furthermore, a lot of components (such as the SSL layer within Java, JSSE, or the XML encryption libraries) use the JCA to supply the required cryptographic functionality. The libraries that require JCA functionality will still be limited to restricted key sizes.

Note that using other providers won't work, as the Cipher class itself checks for the key size. The CipherSpi implementation classes that may be contained within a JCA provider cannot (positively) influence the allowed key sizes. You can only directly use the implementation classes.