Illegal Key Size


About a week ago, I wrote an article on how to encrypt with PHP and decrypt with Java. The funny thing is I got an error when I deployed the Java code into the live server! 😐

As a reminder, this is the code I am talking about:

SecretKeySpec skeySpec = new SecretKeySpec("SECRET KEY".getBytes(), "AES");
IvParameterSpec initalVector = new IvParameterSpec("iv_example".getBytes());
Cipher cipher = Cipher.getInstance("AES/CFB8/NoPadding");
cipher.init(Cipher.DECRYPT_MODE, skeySpec, initalVector);

This code was working perfectly fine on my local machine but here is the exception I got when I ran it on a Linux server:

java.security.InvalidKeyException: Illegal key size
        at javax.crypto.Cipher.a(DashoA12275)
        at javax.crypto.Cipher.a(DashoA12275)
        at javax.crypto.Cipher.a(DashoA12275)
        at javax.crypto.Cipher.init(DashoA12275)
        at javax.crypto.Cipher.init(DashoA12275)
        ...

Looking on internet for an explanation, I found the following answer on Charitha Kankanamge’s blog (which I slightly updated):

“java.security.InvalidKeyException: Illegal key size” error is a common issue which occurs when you try to invoke a secured web service in an environment where the provision for java unlimited security jurisdiction is not done.
This can be avoided by installing Java Cryptography Extension (JCE) unlimited strength jurisdiction policy files.
1. Go to http://www.oracle.com/technetwork/java/javase/downloads/index.html
2. Go to the Additional Resources section and click on the download button next to “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files X”
3. Download jce_policy-X.zip and extract it into a directory
4. You will find local_policy.jar and US_export_policy.jar files there in the extracted directory. Copy these two files to $JAVA_HOME/jre/lib/security directory (These files might already be there, replace them in this case)
5. Restart the web server and invoke your secured service again. You will not encounter the “invalidkeyException” any more

Please click on the link below to see the original article:
http://charithaka.blogspot.com/2008/08/how-to-avoid-javasecurityinvalidkeyexce.html

, , , ,


  1. #1 by Nuria on 27 Jun 2012 - 14:47

    This has been very useful. You’re a star!

(will not be published)