I have been developing a simple application where I need to encrypt and decrypt a short password sent by end user accross internet. The coding is working just fine. But I am worry whether I have violated the US cryptographic export restrictions by using these coding. If I am, can anyone suggest an alternative to encrypt and decrypt the password? Thank you all.
IANAL[1], but I'd like to point out the following.
The export restrictions were much relaxed a few years ago. I don't have a clue what the restrictions (if any) with regards to Malaysia are.
Whatever the case may be, your code is certainly not in violation. You're just coding against an abstract API (JCE) and not implementing the actual encryption. At most, you might be guilty of illegaly exporting the Sun JCE implementation or the Sun JCE provider. There is legalese about this on the Sun website, you might read that.
If you are concerned about the legal position of either your Sun JCE implementation or the provider, you can switch to alternative implementations such as The Legion of the Bouncy Castle (to be taken a whole lot more seriously than the name may suggest). They're hosted in Australia and not subject to U.S. export regulations. You can use them as a JCE provider, or ditch the Sun JCE altogether and use their JCE reimplementation.
Last but not least, there may be rules and regulations in your country which control or limit the encryption you are allowed to use. I don't have a clue about this, but you might well want to check.
- Peter [1] I Am Not A Lawyer.
Peter den Haan | peterdenhaan.com | quantum computing specialist, Objectivity Ltd