Given final block not properly padded

If you try to decrypt PKCS5-padded data with the wrong key, and then unpad it (which is done by the Cipher class automatically), you most likely will get the BadPaddingException (with probably of slightly less than 255/256, around 99.61%), because the padding has a special structure which is validated during unpad and very few keys would produce a valid padding.

So, if you get this exception, catch it and treat it as “wrong key”.

This also can happen when you provide a wrong password, which then is used to get the key from a keystore, or which is converted into a key using a key generation function.

Of course, bad padding can also happen if your data is corrupted in transport.

That said, there are some security remarks about your scheme:

  • For password-based encryption, you should use a SecretKeyFactory and PBEKeySpec instead of using a SecureRandom with KeyGenerator. The reason is that the SecureRandom could be a different algorithm on each Java implementation, giving you a different key. The SecretKeyFactory does the key derivation in a defined manner (and a manner which is deemed secure, if you select the right algorithm).
  • Don’t use ECB-mode. It encrypts each block independently, which means that identical plain text blocks also give always identical ciphertext blocks.Preferably use a secure mode of operation, like CBC (Cipher block chaining) or CTR (Counter). Alternatively, use a mode which also includes authentication, like GCM (Galois-Counter mode) or CCM (Counter with CBC-MAC), see next point.
  • You normally don’t want only confidentiality, but also authentication, which makes sure the message is not tampered with. (This also prevents chosen-ciphertext attacks on your cipher, i.e. helps for confidentiality.) So, add a MAC (message authentication code) to your message, or use a cipher mode which includes authentication (see previous point).
  • DES has an effective key size of only 56 bits. This key space is quite small, it can be brute-forced in some hours by a dedicated attacker. If you generate your key by a password, this will get even faster. Also, DES has a block size of only 64 bits, which adds some more weaknesses in chaining modes. Use a modern algorithm like AES instead, which has a block size of 128 bits, and a key size of 128 bits (for the standard variant).

Related Posts:

  1. How can I list the available Cipher algorithms?
  2. Encrypt Password in Configuration Files?
  3. Encrypt Password in Configuration Files?
  4. What is a StackOverflowError?
  5. What is the proper way to handle a NumberFormatException when it is expected?
  6. Exception in thread “main” java.util.NoSuchElementException
  7. How to decrypt a SHA-256 encrypted string?
  8. JavaFX – Exception in Application start method?
  9. JavaFX – Exception in Application start method? [duplicate]
  10. What is an AssertionError? In which case should I throw it from my own code?
  11. EOFException – how to handle?
  12. Can I catch multiple Java exceptions in the same catch clause?
  13. Exception in thread “main” java.util.NoSuchElementException: No line found
  14. “NoClassDefFoundError: Could not initialize class” error
  15. unreported exception java.io.FileNotFoundException; must be caught or declared to be thrown
  16. Exception in thread “main” java.lang.UnsupportedClassVersionError: a (Unsupported major.minor version 51.0)
  17. “NoClassDefFoundError: Could not initialize class” error
  18. “NoClassDefFoundError: Could not initialize class” error
  19. Why do I get an UnsupportedOperationException when trying to remove an element from a List?
  20. Why do I get “Exception; must be caught or declared to be thrown” when I try to compile my Java code?
  21. What is difference between Errors and Exceptions?
  22. Causes of getting a java.lang.VerifyError
  23. How to create a custom exception type in Java?
  24. Exception in thread “main” java.lang.ArithmeticException: / by zero
  25. Java can’t find file when running through Eclipse
  26. FXML Load exception
  27. StringIndexOutOfBoundsException String index out of range: 0
  28. java.lang.ClassNotFoundException:com.mysql.jdbc.Driver [duplicate]
  29. What kind of Java type is “[B”?
  30. Connection Java – MySQL : Public Key Retrieval is not allowed
  31. Why is a ConcurrentModificationException thrown and how to debug it
  32. Throwing multiple exceptions in Java
  33. java.lang.ArrayIndexOutOfBoundsException: 0
  34. Official reasons for “Software caused connection abort: socket write error”
  35. How can I read a text file in Android?
  36. Exception is never thrown in body of corresponding try statement
  37. How can I catch all the exceptions that will be thrown through reading and writing a file?
  38. What is the best way to implement constants in Java?
  39. What is the reason behind “non-static method cannot be referenced from a static context”?
  40. What does ” || ” mean in Java? [duplicate]
  41. “Error occurred during initialization of VM; Could not reserve enough space for object heap” using -Xmx3G
  42. “int cannot be dereferenced” in Java
  43. What is a Key-Value Pair?
  44. How can I use ant to execute commands on linux?
  45. Invalid initial heap size -Xms4096M
  46. How do I use a PriorityQueue?
  47. What does Java option -Xmx stand for?
  48. Global variables in Java
  49. Does the Project Lombok @Data annotation create a constructor of any kind?
  50. Javac is not found
  51. How Exactly Does @param Work – Java
  52. Return string Input with parse.string
  53. Android ListView headers
  54. What does -XX:MaxPermSize do?
  55. What does .class mean in Java?
  56. What does the following Oracle error mean: invalid column index
  57. how to fix java.lang.arrayindexoutofboundsexception: 0?
  58. Convert the string into stringBuilder in java
  59. Print ArrayList
  60. Using ADB to capture the screen
  61. What is the difference between response.sendRedirect() and request.getRequestDispatcher().forward(request,response)
  62. Recursion vs. Iteration (Fibonacci sequence)
  63. What is the difference between Integer and int in Java?
  64. Static Error: This class does not have a static void main method accepting String[]
  65. “uses unchecked or unsafe operations”
  66. possible lossy conversion from long to int?
  67. How to sort an array of objects in Java?
  68. Android – SPAN_EXCLUSIVE_EXCLUSIVE spans cannot have a zero length
  69. keytool error Keystore was tampered with, or password was incorrect
  70. How to override toString() properly in Java?
  71. Returning null in a method whose signature says return int?
  72. keytool error Keystore was tampered with, or password was incorrect
  73. How to convert currentTimeMillis to a date in Java?
  74. How to clear console in Java – Eclipse
  75. Java TreeMap Comparator
  76. What is the use of System.in.read()?
  77. Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
  78. JDK was not found on the computer for NetBeans 6.5
  79. In Java, how to assign the variable number=Integer.parseInt(args[0]) a value if no argument is passed?
  80. How are “mvn clean package” and “mvn clean install” different?
  81. Why are two empty ArrayLists with different generic types equal?
  82. Iterator for a linkedlist
  83. Hide Utility Class Constructor : Utility classes should not have a public or default constructor
  84. Android – Start service on boot
  85. JsonMappingException: No suitable constructor found for type [simple type, class ]: can not instantiate from JSON object
  86. Sending POST data in Android
  87. When is “java.io.IOException:Connection reset by peer” thrown?
  88. Java ArrayList of Doubles
  89. what is update-alternatives command in linux and what is the use of it?
  90. java: use StringBuilder to insert at the beginning
  91. Multiple delimiters in Scanner class of Java
  92. Eclipse Problems View not showing Errors anymore
  93. unexpected type error
  94. What is the difference between run-time error and compiler error?
  95. What is the difference between ArrayList.clear() and ArrayList.removeAll()?
  96. Test if element is present using Selenium WebDriver?
  97. Increase heap size in Java
  98. android.content.res.Resources$NotFoundException: String resource ID #0x0
  99. what does x– or x++ do here?
  100. How to specify filepath in java?

Leave a Comment