Java decryption throws an exception

Question

Here is my encryption method(value is an input parameter):

 byte key_bytes[] = "12345678".getBytes();
 SecretKeySpec _keyspec = new SecretKeySpec(key_bytes, "DES");
 Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding"); // Yes, I know I shouldn't use DES
 cipher.init(Cipher.ENCRYPT_MODE, _keyspec);

 byte[] utf8 = value.getBytes("UTF8");
 byte[] enc = cipher.doFinal(utf8);   // Encrypt

 String encrypted = new String(new Base64().encode(enc));

 return URLEncoder.encode(encrypted, "UTF-8");

Here is my decryption method(value is an input parameter):

byte key_bytes[] = "12345678".getBytes();
SecretKeySpec _keyspec = new SecretKeySpec(key_bytes, "DES");
Cipher dcipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
dcipher.init(Cipher.DECRYPT_MODE, _keyspec);

byte[] dec = new Base64().decode(value);
byte[] utf8 = dcipher.doFinal(dec);  // Decrypt, throws exception
return new String(utf8, "UTF8");

And I get an Exception:

javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher

I've read different topics, so I figured out, that this exception occurs, when there is no padding and there is another cipher mode. So, what's wrong?

Where is your `URLDecoder`? And it mainly occurs if your ciphertext is not a multiple of the blocksize (8 for DES) anymore. — Maarten Bodewes, Jul 17 '14 at 16:08
Note that using DES is insecure, ECB is insecure and sending a ciphertext without authentication tag (HMAC) over a network is insecure as well. — Maarten Bodewes, Jul 17 '14 at 22:13
I mentioned that, that DES is unsecure, ECB is unsecure, but requirements are requirements — John Smith, Jul 18 '14 at 07:27
@owlstead can you give an example of using HMAC with such type of encryption? — John Smith, Jul 18 '14 at 12:37
Well, you use - a preferably different - key for the HMAC calculation, then calculate a HMAC over the ciphertext and - if used - the IV and other configurable encryption parameters that are send. Then you verify the HMAC **before** decryption. That's it really. — Maarten Bodewes, Jul 18 '14 at 12:51

Maarten Bodewes · Answer 1 · 2014-07-17T16:21:00.973

2

You are missing an URLDecoder in your decryption method. Note that if the string has been compromised in any other way, and the length is not a multiple of the block size anymore that you will receive this exception for both the ECB and CBC modes of operation.

edited Jul 17 '14 at 16:21

answered Jul 17 '14 at 16:11

Maarten Bodewes

90,524
13
150
263

I use apache's Base64 encoder, URL is decoded above, in another method, so value in input is already decoded – John Smith Jul 17 '14 at 16:15
2

Works on my system otherwise. Check if the string received is the string send! Note that this is why you should create a SSCCE! – Maarten Bodewes Jul 17 '14 at 16:19
the string, which I recieve on the output of encryption method equals the string, which is given as input in decryption – John Smith Jul 18 '14 at 07:26
Could you show us an example input string used for decryption that fails with this exception? Preferably edit it into the answer and respond that you did so here. – Maarten Bodewes Jul 18 '14 at 12:53

score 1 · Accepted Answer · edited May 23 '17 at 12:05

1

As exception stack says, length must be multiple of 8.

So, length of 8, 16, 24,... are valid for key bytes.

Try with length of 8 (12345678)

byte key_bytes[] = "12345678".getBytes();

If error persists, you can follow this answer

Updated

If you want to use URLDecoder, try with this code in your decrypt method,

String decryptd = URLDecoder.decode(value, "UTF-8");
byte[] dec = new Base64().decode(decryptd);
byte[] utf8 = dcipher.doFinal(dec);  
return new String(utf8, "UTF-8");

edited May 23 '17 at 12:05

Community

1
1

answered Jul 17 '14 at 15:08

Wundwin Born

3,467
19
37

sorry, I've edited the question, in the source they are 8 charachters long – John Smith Jul 17 '14 at 15:10
@JohnSmith You may need to follow the link in updated answer. – Wundwin Born Jul 17 '14 at 15:13
I don't see any difference, only encryption standard and UTF-8 encoding/decoding, used in my code – John Smith Jul 18 '14 at 07:28
@JohnSmith The problem is in your encrypt method if you return `encrypted` string instead of `return URLEncoder.encode(encrypted, "UTF-8");`, all will be ok. – Wundwin Born Jul 18 '14 at 09:39
yep, it helped, thnx! – John Smith Jul 18 '14 at 10:22

Java decryption throws an exception

2 Answers2

Updated