As you may know Java offers the possibility to encrypt data with AES.
Unfortunately the default JDK in Java 6 limits the key size to 128 bit.
To use the 192 or 256 bit keys you must install the JCE Unlimited
Strength Jurisdiction Policy Files in the JDK that runs your
application. Using an alternative provider from bouncycastle.org
doesn't help. When sticking to the JCE API the JDK needs the patch. So
it seems that you can either force your users to install the patch or
abandon the standardized API and use a proprietary one. When your key
is derived from a password there is a third way.
You may rethink if you need more than 128 bit keys at all. 128 bit
means 16 byte. On the other hand there are only a few users that uses
more than 10 characters for a password. So there is a lot of key size
unused. If you rethink what a key size of 128 means things get even
worse. It means that there are 2^128 possibilities for a key. So for a
byte you need to have 2^8 (256) possibilities for a key. Choosing from
256 characters via a standard keyboard won't work. At least for the one
which I know. BTW. I know that there are a lot of Chinese characters
but as far as I know they have to press several keys on their keyboard
to get one of those characters into their computer. So please don't
come up with 6 character passwords that need 30 key presses.
If you want to calculate how many characters you need to enter to use
the 128 bit key size go over to http://www.velocityreviews.com/forums/t307767-how-many-characters-to-make-winzip-aes-256-unbreakable.html
and read the explanations of Arthur T. Using just numbers, the
characters A to Z, and a to z I've came up with 22 characters for
a password.
Not yet convinced? Luke O'Connor has written some articles why 128 bit
is enough for password based keys. Read http://lukenotricks.blogspot.com/2008/07/are-aes-256-bit-keys-too-large.html
and http://lukenotricks.blogspot.com/2010/04/aes-128-versus-aes-256-encryption.html.