1
public static byte[] decryptByte(byte[] blahh, byte[] keyExample) throws Exception
{
Cipher cipher = null;

try
{
    cipher = Cipher.getInstance("AES/ECB/PKCS5PADDING");
    SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
    cipher.init(Cipher.DECRYPT_MODE, secretKey);

    return cipher.doFinal(Base64.decodeBase64(blah));
}
catch(Exception e)
{
    e.printStackTrace();
}
return null;
}

String keyExample = "99112277445566778899AABBCCDDEEFF0123456789ABCDEF0123456789ABCDEF";
byte[] key = keyExample.getBytes();    
byte[] barrayMessage = {123,45,55,23,64,21,65};    
byte[] result = decryptByte(barrayMessage, key);

Exception thrown: java.security.InvalidKeyException: Invalid AES key length: 64 bytes

Tom
  • 26,212
  • 21
  • 100
  • 111
stackoverflow
  • 18,348
  • 50
  • 129
  • 196
  • `barrayMessage` is incompatible with AES/ECB , and your code won't even compile. Please make an SSCCE. – Maarten Bodewes Jan 16 '13 at 21:53
  • 1
    You need to convert from hex. `getBytes` uses the default platform encoding. – CodesInChaos Jan 16 '13 at 21:54
  • See http://stackoverflow.com/questions/3451670/java-aes-and-using-my-own-key – Carsten Jan 16 '13 at 21:54
  • @CodesInChaos that's 3 seconds before my answer :) – Maarten Bodewes Jan 16 '13 at 21:54
  • Or see http://stackoverflow.com/questions/992019/java-256-bit-aes-password-based-encryption – Carsten Jan 16 '13 at 21:56
  • @Carsten Could you delete that first link? It does not contain any secure answers. – Maarten Bodewes Jan 16 '13 at 22:06
  • @owlstead I agree, the second option is definitely the one to go for. However, in practice, I found that PBKDF2 (required for the second approach) is not a widely available as AES. So, Maybe let's say one should use the approach from the second link whenever possible, and only fall back to the other one if PBKDF2 is not available on your system. – Carsten Jan 16 '13 at 22:17
  • Also, don't use ECB (see http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29) if your real text is of any length – Carsten Jan 16 '13 at 22:21
  • @Carsten This approach needs a salt though. I dont want to add a salt to the key. – stackoverflow Jan 16 '13 at 22:36
  • @Mrshll187 you need a salt only if you want to use a password. If you want to use a (pre-generated) random, then use my answer and specify it in hex (if you require a `String`) or simply use a byte array directly. – Maarten Bodewes Jan 16 '13 at 22:41
  • @Mrshll187 The salt is "optional". However, not using salt will expose you to dictionary attacks. Why don't you want to use salt? – Carsten Jan 17 '13 at 00:00
  • @Carsten Thanks for the response. I guess I was just really unsure of what the salt was actually doing. – stackoverflow Jan 20 '13 at 16:51

2 Answers2

3

You should try and decode your key using a hexadecimal decoder instead of calling getBytes().

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
3

When you call String.getBytes() (JDK documentation) you encodes characters of the given string into a sequence of bytes using the platform's default charset.

What you are actually need to do is to convert each hexadecimal (also base 16) number (represented by two characters from 0 to 9 and A to F e.g. 1A, 99, etc.) into its corresponding numerical (byte) value e.g. "FF" -> -1 byte.

Sample code is as follows: 

import static java.lang.Character.digit;
...

private static byte[] stringToBytes(String input) {
    int length = input.length();
    byte[] output = new byte[length / 2];

    for (int i = 0; i < length; i += 2) {
        output[i / 2] = (byte) ((digit(input.charAt(i), 16) << 4) | digit(input.charAt(i+1), 16));
    }
    return output;
}

...

String keyExample = "99112277445566778899AABBCCDDEEFF0123456789ABCDEF0123456789ABCDEF";
byte[] key = stringToBytes(keyExample);    
byte[] barrayMessage = {123,45,55,23,64,21,65};    
byte[] result = decryptByte(barrayMessage, key);

Please bear in mind that because we convert each two characters into a single byte, the proposed method assumes your input will have even number of characters (also the input is not null and empty).

If that method is going to be used internally that form is acceptable but if you make it as a part of library visible to others, it would be good to put some checks and throw exception on invalid input.

Tom
  • 26,212
  • 21
  • 100
  • 111