37

Does anyone know what the default Java crypto behavior is for:

SecretKeySpec localSecretKeySpec = new SecretKeySpec(arrayOfByte, "AES");
Cipher localCipher = Cipher.getInstance("AES");

Specifically I am looking to understand how those classes generate the IV, as well as what is the default encryption mode when just specifying "AES". Thanks.

wuntee
  • 12,170
  • 26
  • 77
  • 106
  • 2
    Don't quote me on this, but it could very easily depend on the provider. You really want to always specify both the mode of operation and the padding algorithm. Not doing so can cause soooo many problems... – Chris Thompson Jun 06 '11 at 21:10
  • 3
    Could you actually accept one of these answers? Your latest question is from not too long ago, so you should be still around. – Maarten Bodewes Dec 08 '12 at 00:19

4 Answers4

40

For Oracle JDK 7 (tested), the default cipher for AES is AES/ECB/PKCS5Padding. The Java Security documentation doesn't mention about this though (http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#algspec), have to do some JUnit testing to find out.

bratan
  • 3,407
  • 1
  • 16
  • 11
  • 3
    I can confirm that 1.6.0_31 also uses `AES/ECB/PKCS5Padding` when only `AES` is requested. Tested by encrypting ~10MB of `/dev/urandom` various combinations. – Jesse Nov 01 '12 at 08:38
  • 1
    I had been searching this for hours! Thanks! – Kazekage Gaara Jul 14 '14 at 11:08
  • 2
    @Jesse - `Cipher.getAlgorithm()` should return what you are using. See Java's [Standard Algorithm Name Documentation](http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html). – jww Aug 11 '16 at 07:02
  • Thank you so much for this. I've been looking for the solution for this for hours. If you want to decrypt something encrypted in Java in C# don't forget to set the block size to `128` as Java follows the specific AES standard. – dimiguel Jul 03 '19 at 07:27
  • 1
    @jww `Cipher.getAlgorithm()` still returns "AES" when requested as this (OpenJDK 11). The variables `com.sun.crypto.provider.CipherCore.cipher` and `padding` reveal the actual settings while `doFinal` is executed. – Matthias May 04 '20 at 08:00
13

The details are provider specific. The JCA Reference Guide says that:

(Creating a Cipher Object) If no mode or padding is specified, provider-specific default values for the mode and padding scheme are used. For example, the SunJCE provider uses ECB as the default mode, and PKCS5Padding as the default padding scheme for DES, DES-EDE and Blowfish ciphers. This means that in the case of the SunJCE provider: Cipher.getInstance("DES") and Cipher.getInstance("DES/ECB/PKCS5Padding") are equivalent statements.

I would always use the full form (algorithm/mode/padding), not only because I think that leaving out such "details" to the implementation is bad practice, but also for achieving a ciphertext that is independent of the chosen provider (one usually encrypts for storage/transmission, then one cannot be sure that the same provider will be used later/on the other end).

Javier
  • 12,100
  • 5
  • 46
  • 57
11

Those details are provider specific, and relying on the default mode and padding can be very dangerous. If you are interested in what the values that the default provider currently bundled with Java uses you'll have to hunt down the source code for the algorithm in question. For instance, the default values it uses for the RSA algorithm are here. Also, the Java™ Cryptography Architecture (JCA) Reference Guide has quite a bit of information that could answer some of you other questions.

laz
  • 28,320
  • 5
  • 53
  • 50
5

It depends on the Providers. Different providers might have different default parameters. This is the link for Java 8.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#ciphertrans

The javax.crypto.Cipher.getInstance(String transformation) factory method generates Ciphers using transformations of the form algorithm/mode/padding. If the mode/padding are omitted, the SunJCE and SunPKCS11 providers use ECB as the default mode and PKCS5Padding as the default padding for many symmetric ciphers.

It is recommended to use transformations that fully specify the algorithm, mode, and padding instead of relying on the defaults.

Note: ECB works well for single blocks of data and can be parallelized, but generally should not be used for multiple blocks of data.

Therefore, you should not just use AES but specify the mode and padding. Furthermore, although the getInstance method could have another parameter for the provider, this is not recommended because

applications are tied to specific providers that may not be available on other Java implementations

Archangel1C
  • 100
  • 11
Qiuxiang Dong
  • 51
  • 1
  • 1
  • This should be the accepted answer, since it links to the exact place in the docs, where it is mentioned. Unfortunately I didn't check all answers, so it took me a while to find that paragraph myself. It wasn't there in the Java 6 document version, but is since Java 7. – Archangel1C Dec 01 '20 at 12:46