Monday, June 15, 2009

TripleDES encryption compatibility when using Java and .NET

Note: This article shows you how to generate a SecretKey to use with a TripleDES encryption cipher. The shared-secret key can be 24 byte or even 16 bytes long.
For a quick brief of how TripleDES (3DES) works have a look here.

The most common problem related to encrypting something in Java and decrypting in .NET or vice-versa is a misunderstanding of the Keying options that are defined in the standards and those implemented by Java and .NET

A DES key is made up of 56 bits and 8 parity bits (8 bytes)
A 3DES key is made up of a bunch of 3, 8-byte DES keys i.e. a 24 bytes long

If you are going to use a 24 byte key for both Java and .NET, you're safe; then encryption will be compatible.

Java will force you to use only a 24 byte key when using TripleDES; the subtly is that .NET supports both a 16 byte as well as a 24 byte key.
Now If you generate a key from a MD5 hash of a shared secret, it will be just 16 bytes. .NET has no problem with this. It implements Keying Option 2. It will intelligently take the first 8 bytes and append it after the 16th byte - forming a 24 byte key. Java, *sigh* sadly doesn't do this. You'll have to spoon feed it like so:

public SecretKey getSecretKey(byte[] encryptionKey) {
SecretKey secretKey = null;
if (encryptionKey == null)
return null;

byte[] keyValue = new byte[24]; // final 3DES key

if (encryptionKey.length == 16) {
// Create the third key from the first 8 bytes
System.arraycopy(encryptionKey, 0, keyValue, 0, 16);
System.arraycopy(encryptionKey, 0, keyValue, 16, 8);

} else if (encryptionKey.length != 24) {
throw new IllegalArgumentException("A TripleDES key should be 24 bytes long");

} else {
keyValue = encryptionKey;
DESedeKeySpec keySpec;
try {
keySpec = new DESedeKeySpec(keyValue);
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
secretKey = keyFactory.generateSecret(keySpec);
} catch (Exception e) {
throw new RuntimeException("Error in key Generation",e);
return secretKey;


Sam Walker said...

Thank you for this informative artice. It helped me find the solution. Find my java and .NET solution here.

Anonymous said...

this worked very well, didnt know it had to be 24 bytes... thanks!

Malinga said...


Ignacio said...

thanks! you make my day!