Home Java Security: Illegal key size or default parameters?
Reply: 13

Java Security: Illegal key size or default parameters?

Rihards Published in 2011-06-26 01:40:15Z

I had asked a question about this earlier, but it didn't get answered right and led nowhere.

So I've clarified few details on the problem and I would really like to hear your ideas on how could I fix this or what should I try.

I have Java installed on my Linux server and the code below runs just perfectly.

String key = "av45k1pfb024xa3bl359vsb4esortvks74sksr5oy4s5serondry84jsrryuhsr5ys49y5seri5shrdliheuirdygliurguiy5ru";
try {
    Cipher c = Cipher.getInstance("ARCFOUR");

    SecretKeySpec secretKeySpec = new SecretKeySpec(key.getBytes("UTF-8"), "ARCFOUR");
    c.init(Cipher.DECRYPT_MODE, secretKeySpec);

    return new String(c.doFinal(Hex.decodeHex(data.toCharArray())), "UTF-8");

} catch (InvalidKeyException e) {
    throw new CryptoException(e);

Today I installed Java on my server user and when I try to run my application, I get the following exception. My guess would be that it has something to do with the Java installation configuration because it works in the first one, but doesn't work in the later version.

Caused by: java.security.InvalidKeyException: Illegal key size or default parameters
    at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
    at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
    at javax.crypto.Cipher.a(DashoA13*..) ~[na:1.6]
    at javax.crypto.Cipher.init(DashoA13*..) ~[na:1.6]
    at javax.crypto.Cipher.init(DashoA13*..) ~[na:1.6]
    at my.package.Something.decode(RC4Decoder.java:25) ~[my.package.jar:na]
    ... 5 common frames omitted

Line 25 is: c.init(Cipher.DECRYPT_MODE, secretKeySpec);

* java.security on server's java directory matches almost completely with the java.security file. There are no additional providers in the first one.
* The previous question is here.

Peter Crotty
Peter Crotty Reply to 2016-08-17 10:24:30Z

Most likely you don't have the unlimited strength file installed now.

You may need to download this file:

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download

Extract the jar files from the zip and save them in ${java.home}/jre/lib/security/.

jww Reply to 2014-04-28 03:24:35Z

There's a short discussion of what appears to be this issue here. The page it links to appears to be gone, but one of the responses might be what you need:

Indeed, copying US_export_policy.jar and local_policy.jar from core/lib/jce to $JAVA_HOME/jre/lib/security helped. Thanks.

Dev G
Dev G Reply to 2011-12-15 06:44:48Z

I also got the issue but after replacing existing one with the downloaded (from JCE) one resolved the issue. New crypto files provided unlimited strength.

evanxsummers Reply to 2011-12-22 10:33:06Z

"Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6"


anon Reply to 2014-08-29 13:46:07Z

I experienced the same error while using Windows 7 x64, Eclipse, and JDK 1.6.0_30. In the JDK installation folder there is a jre folder. This threw me off at first as I was adding the aforementioned jars to the JDK's lib/security folder with no luck. Full path:

C:\Program Files\Java\jdk1.6.0_30\jre\lib\security

Download and extract the files contained in the jce folder of this archive into that folder.

C Deepak
C Deepak Reply to 2016-02-23 09:18:26Z

For JAVA 7 the download link is jce-7-download

Copy the two downloaded jars in Java\jdk1.7.0_10\jre\lib\security
Take a backup of older jars to be on safer side.

For JAVA 8 the download link is jce-8-download
Copy the downloaded jars in Java\jdk1.8.0_45\jre\lib\security
Take a backup of older jars to be on safer side.

Saad Malik
Saad Malik Reply to 2014-10-22 05:48:17Z

The JRE/JDK/Java 8 jurisdiction files can be found here:

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download

Like James said above:
Install the files in ${java.home}/jre/lib/security/.

max Reply to 2015-09-25 20:35:15Z

the problem is the content of the file default_local.policy in local_policy.jar in the folder jre\lib\security, if you install the JRE:

// Some countries have import limits on crypto strength. This policy file
// is worldwide importable.

grant {
    permission javax.crypto.CryptoPermission "DES", 64;
    permission javax.crypto.CryptoPermission "DESede", *;
    permission javax.crypto.CryptoPermission "RC2", 128,
                                     "javax.crypto.spec.RC2ParameterSpec", 128;
    permission javax.crypto.CryptoPermission "RC4", 128;
    permission javax.crypto.CryptoPermission "RC5", 128,
          "javax.crypto.spec.RC5ParameterSpec", *, 12, *;
    permission javax.crypto.CryptoPermission "RSA", *;
    permission javax.crypto.CryptoPermission *, 128;

if you do not need worldwide valid settings you simply can edit this file and change the content to

// Country-specific policy file for countries with no limits on crypto strength.
grant {
    // There is no restriction to any algorithms.
    permission javax.crypto.CryptoAllPermission;

this is what get if you download the JCE from Oracle.

tostao Reply to 2017-11-02 17:20:48Z

In Java, by default AES supports a 128 Bit key, if you plans to use 192 Bit or 256 Bit key, java complier will throw Illegal key size Exception, which you are getting.

The solution is as victor & James suggested, you will need to download JCE (Java Cryptography Extension) as per your JRE version,(java6, java7 or java8).

The JCE zip contains following JAR:

  1. local_policy.jar
  2. US_export_policy.jar

You need to replace these jar form your <JAVA_HOME>/jre/lib/security. if you are on a unix system the will probably refer to /home/urs/usr/lib/jvm/java-<version>-oracle/

Sometimes just replacing local_policy.jar, US_export_policy.jar in security folder doesn't work on unix, so I suggest to copy security folder to your desktop first, replace the jar's @Desktop/security folder, delete the security folder from /jre/lib/ & move the Desktop security folder to /jre/lib/.

eg :: sudo mv security /usr/lib/jvm/java-7-oracle/jre/lib

keaplogik Reply to 2016-01-15 14:37:26Z

By default, Java only supports AES 128 bit (16 bytes) key sizes for encryption. If you do not need more than default supported, you can trim the key to the proper size before using Cipher. See javadoc for default supported keys.

This is an example of generating a key that would work with any JVM version without modifying the policy files. Use at your own discretion.

Here is a good article on whether key 128 to 256 key sizes matter on AgileBits Blog

SecretKeySpec getKey() {
    final pass = "47e7717f0f37ee72cb226278279aebef".getBytes("UTF-8");
    final sha = MessageDigest.getInstance("SHA-256");

    def key = sha.digest(pass);
    // use only first 128 bit (16 bytes). By default Java only supports AES 128 bit key sizes for encryption.
    // Updated jvm policies are required for 256 bit.
    key = Arrays.copyOf(key, 16);
    return new SecretKeySpec(key, AES);
Jako Reply to 2017-06-01 17:41:45Z

This is a code only solution. No need to download or mess with configuration files.

It's a reflection based solution, tested on java 8

Call this method once, early in your program.


import javax.crypto.Cipher;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.util.Map;


public static void fixKeyLength() {
    String errorString = "Failed manually overriding key-length permissions.";
    int newMaxKeyLength;
    try {
        if ((newMaxKeyLength = Cipher.getMaxAllowedKeyLength("AES")) < 256) {
            Class c = Class.forName("javax.crypto.CryptoAllPermissionCollection");
            Constructor con = c.getDeclaredConstructor();
            Object allPermissionCollection = con.newInstance();
            Field f = c.getDeclaredField("all_allowed");
            f.setBoolean(allPermissionCollection, true);

            c = Class.forName("javax.crypto.CryptoPermissions");
            con = c.getDeclaredConstructor();
            Object allPermissions = con.newInstance();
            f = c.getDeclaredField("perms");
            ((Map) f.get(allPermissions)).put("*", allPermissionCollection);

            c = Class.forName("javax.crypto.JceSecurityManager");
            f = c.getDeclaredField("defaultPolicy");
            Field mf = Field.class.getDeclaredField("modifiers");
            mf.setInt(f, f.getModifiers() & ~Modifier.FINAL);
            f.set(null, allPermissions);

            newMaxKeyLength = Cipher.getMaxAllowedKeyLength("AES");
    } catch (Exception e) {
        throw new RuntimeException(errorString, e);
    if (newMaxKeyLength < 256)
        throw new RuntimeException(errorString); // hack failed

Credits: Delthas

Sulabh Jain
Sulabh Jain Reply to 2017-09-15 08:59:54Z

Default JDK supports encryption only through 128 bit keys becuase of American restrictions. So to support encryption from 256 bit long key we have to replace local_policy.jar and US_export_policy.jars in $JAVA_HOME/java-8-oracle/jre/lib/security folder otherwise it will give java.security.InvalidKeyException: Illegal key size or default

Both jars and detailed concept can be understand from the link:


Thanks, Sulabh Jain

Sebastian S
Sebastian S Reply to 2017-10-20 21:38:48Z

Beginning with Java 8u151 and Java 9 you can disable the limitation programmatically.

In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary.

Instead you can now invoke the following line before first use of JCE classes (i.e. preferably right after application start):

Security.setProperty("crypto.policy", "unlimited");
You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.32582 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO