Java: InvalidAlgorithmParameterException Prime size must be multiple of 64

Question

I implemented a Java program that will connect and execute a command in a remote server using JSCH. The problem is that whenever I tried to connect to the server, I got the

Answer 1

I didn't have the benefit of switching to Ganymed, so I installed the "Bouncy Castle" libraries to replace the security on the JVM. For some reason the Java 8 JVM still does not allow for security keys to be larger than 1024 in length.

1. Download the jar files from https://www.bouncycastle.org/latest_releases.html (look for jar files that start with 'bcprov-jdk')

2. Place the jar files under $JAVA_HOME/jre/lib/ext

3. Edit the java.security file located in $JAVA_HOME/jre/lib/security
4. Scroll down past the middle of the file and you will find a numbered list of security providers (around 9 or 8). Place a comment for the line of the seecond provider (with a #)

5. Replace the commented line with this:

   security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider

6. Restart what you must, and try again.

I'm baffled as to why we need to hack the JDK this way. It doesn't inspire a lot of confidence to anybody I mentioned it at work. But since there is poor documentation (or education) on anything relating to security we are treating it as a 'temporary' fix.

Answer 2

I solved a similar problem on oracle java 8 by switching to bouncycastle provider for ssl/tls:

1. Added bouncycastle to my project

   <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk15on</artifactId>
       <version>1.54</version>
   </dependency>
   

2. Before I do any SSL stuff, I add the BouncyCastle provider as 1st provider to the list:

   Security.insertProviderAt(new BouncyCastleProvider(),1);
   

This works with most stuff that uses sun's SSLSocketFactory, so it might also work with JSch.

Answer 3

I too faced same issue and resolved it by degrading jar file from jsch-1.5.4 to jsch-1.5.0. Try changing jsch jar file and see which version is suitable for your code. The root cause of issue is due to some method in jsch jar file upgrade, expecting extra input parameter and it is missing in your code.

Answer 4

My workaround was changing this registry key to allow 1024 bit DH keys in Windows 10 (2048 was/is the minimum bit size per https://docs.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000400

Answer 5

I tried using a 2048 bit key that I generate in a server, still I am receiving those error. The solution that I found is to use a different SSH library and the one that works is Ganymed SSH-2, instead of JSch. Thank you for all the suggestions and comments.

Edited: In addition, this library is also light weight ~1MB.

Answer 6

I was getting the same error with JGit's use of JSch. I tried a lot of suggestions in this thread to no avail.

But then recently, I noticed that if I used a slightly newer jre than I used before, the error went away.

Just for the record, I was using "jsch-0.1.55.jar" and the two jre's I tried were:

• JRE 1.7.0_80 (experienced the exception)
• JRE 1.8.0_191 (made the problem go away)

I can't say for sure whether it was merely the JRE upgrade that resolved the problem or the suggested tweaks from this thread that I made in addition.

All the same, just wanted to share the experience in case it helps someone else.