wood burning stoves 2.0*
The moose likes Security and the fly likes Could I have broken the law by using SunJCE?!! Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCA/OCP Java SE 7 Programmer I & II Study Guide this week in the OCPJP forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Could I have broken the law by using SunJCE?!!" Watch "Could I have broken the law by using SunJCE?!!" New topic
Author

Could I have broken the law by using SunJCE?!!

Steven Ho
Greenhorn

Joined: Jan 16, 2003
Posts: 15
I have been developing a simple application where I need to encrypt and decrypt a short password sent by end user accross internet. The coding is working just fine. But I am worry whether I have violated the US cryptographic export restrictions by using these coding.
If I am, can anyone suggest an alternative to encrypt and decrypt the password?
Thank you all.

[ March 14, 2003: Message edited by: Steven Ho ]
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
IANAL[1], but I'd like to point out the following.
  • The export restrictions were much relaxed a few years ago. I don't have a clue what the restrictions (if any) with regards to Malaysia are.
  • Whatever the case may be, your code is certainly not in violation. You're just coding against an abstract API (JCE) and not implementing the actual encryption. At most, you might be guilty of illegaly exporting the Sun JCE implementation or the Sun JCE provider. There is legalese about this on the Sun website, you might read that.
  • If you are concerned about the legal position of either your Sun JCE implementation or the provider, you can switch to alternative implementations such as The Legion of the Bouncy Castle (to be taken a whole lot more seriously than the name may suggest). They're hosted in Australia and not subject to U.S. export regulations. You can use them as a JCE provider, or ditch the Sun JCE altogether and use their JCE reimplementation.
  • Last but not least, there may be rules and regulations in your country which control or limit the encryption you are allowed to use. I don't have a clue about this, but you might well want to check.

  • - Peter
    [1] I Am Not A Lawyer.
    Steven Ho
    Greenhorn

    Joined: Jan 16, 2003
    Posts: 15
    Peter,
    Thank you so much, I am so relieved now. And I will examine the bouncycastle.org later.
    Steven
    [ March 16, 2003: Message edited by: Steven Ho ]
    Sandep Chaturvedi
    Ranch Hand

    Joined: Aug 20, 2002
    Posts: 49
    We have been using Bouncy Castle in US and it is our security standard for all data encryptions/decryptions. Very cool...
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Could I have broken the law by using SunJCE?!!