java.security.InvalidKeyException: Illegal key size

Question

When I run this code in Android it produces no errors, but when I run it in a standard Java program it produces the exception: java.security.InvalidKeyException: Illegal key size.

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKeySpec keySpec = new SecretKeySpec(CHUNK_ENCRYPTION_KEY.getBytes(), 0, 32, "AES");
IvParameterSpec initVector = new IvParameterSpec(AES_INITIALIZATION_VECTOR.getBytes(), 0 , 16);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, initVector);

CHUNK_ENCRYPTION_KEY is a 32 byte key hard-coded into the program. AES_INITIALIZATION_VECTOR is a 16 byte hard-coded initialization vector.

Does anyone know why it would work on Android and not on a Desktop?

Answer 1

On a default desktop JVM installation (using the JRE or JDK from Sun/Oracle), AES is limited to 128-bit key size. This is a remnant of import/export laws on cryptographic software. To unlock the larger AES key sizes, you need to download and apply the "JCE Unlimited Strength Jurisdiction Policy Files" (see at the bottom of this page).

The key size restriction is enforced by the code within the Cipher class. Changing cryptographic providers (e.g. to one of the Bouncy Castle or IAIK providers) won't let you circumvent this restriction.

On an unrelated note, you do not want to use the raw getBytes() method on a String, because the result depends on the current locale (not everyone uses UTF-8 or even ASCII-compatible encodings). If you do want to represent your key as a literal string, at least use an explicit encoding, such as: CHUNK_ENCRYPTION_KEY.getBytes("UTF-8")

Answer 2

It's not stated clearly in README that "JCE Unlimited Strength Jurisdiction Policy Files" should be copied to jre inside your JDK, otherwise it would not work. Path for files should be: /path/to/jdk1.7.0_xx/jre/lib/security