Invalid AES key length: 12 bytes in java

Question

As per given steps, I have performed encryption but am getting an error.

1. Generate a 16-digit random number (session key). Say RANDOMNO. RANDOMNO = 1111222233334444
2. Encrypt RANDOMNO using RSA/ECB/PKCS1Padding and encode using Base64. Say ENCR_KEY. ENCR_KEY = B64Encode(RSA/ECB/PKCS1Encryption(RANDOMNO,ICICIPubKey.cer))
3. Perform AES/CBC/PKCS5Padding encryption on request payload using RANDOMNO as key and ivinitialization vector. Say ENCR_DATA. ENCR_DATA = B64Encode(AES/CBC/PKCS5Padding(REQUEST_DATA, RANDOMNO, IV))
4. Now the client may choose to send IV in request from one of the two options below. Send Base64 Encoded IV in “iv” tag.

  public  byte[] generateRandomBytes() {
          SecureRandom ng=new SecureRandom();
          byte[] randomBytes=new byte[16];
          ng.nextBytes(randomBytes);
          return randomBytes;
        }

//new method for encryption -we need to check
 public  String encryptRandomKeyWithCertificate(byte[] randomNumber) throws BadPaddingException, IllegalBlockSizeException, InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, FileNotFoundException, CertificateException {

    //step2: encrypt the random number with certificate
    FileInputStream fin = new FileInputStream("D:\\cedge_uat\\ICICIUATpubliccert.cer");
    CertificateFactory f = CertificateFactory.getInstance("X.509");
    X509Certificate certificate = (X509Certificate) f.generateCertificate(fin);
    PublicKey publicKey = certificate.getPublicKey();
    Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
    cipher.init(Cipher.ENCRYPT_MODE, publicKey);
    byte[] cipherData = cipher.doFinal(randomNumber);
    String encodedData = Base64.getEncoder().encodeToString(cipherData);
    return encodedData;
}

public  String encryptRequestWithKey(String text, byte[] randomNumber) throws Exception {

    //step3: encrypt the requestString with randomkeyEncrypted
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    BASE64Decoder decoder = new BASE64Decoder();
    SecretKeySpec keySpec = new SecretKeySpec(randomNumber, "AES");
    IvParameterSpec ivSpec = new IvParameterSpec(new byte[16]);
    cipher.init(Cipher.ENCRYPT_MODE, keySpec,ivSpec);
    byte[] cipherData = cipher.doFinal(text.getBytes());
    // BASE64Encoder encoder = new BASE64Encoder();
    //return encoder.encode(cipherData).replaceAll("[\r\n]+", "");
    String encodedData = Base64.getEncoder().encodeToString(cipherData);
    return encodedData;
}

      
public static void main(String[] args) throws IOException {
    
    String requestString = "CORP_USER=";
    byte[] randomNumber;
    String encryptedKey;
    try {
        randomNumber=encryption.generateRandomBytes();
        encryptedKey = encryption.encryptRandomKeyWithCertificate(randomNumber);
        String encryptedData =encryption.encryptRequestWithKey(requestString,randomNumber);
    } catch (Exception e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

Answer 1

According to the Wikipedia page on AES encryption, an AES key can be 128, 192 or 256 bits; i.e. 16, 24 or 32 bytes.

You are supplying a key whose size depends on the "random" number string you are generating. It looks like it will be between 1 and 19 digits plus a possible sign. When you call getBytes() on that string, you will get a byte array with anywhere between 1 and 20 bytes. That is typically NOT one of the acceptable key sizes for AES.

What you should do is use SecureRandom.nextBytes(byte[]) and supply a byte array of one of the three acceptable key sizes for AES.