Prime size must be multiple of 64, and can only range from 512 to 1024

Lee Painter

If you receive an error whilst creating an SSH connection using our APIs that states "Prime size must be multiple of 64, and can only range from 512 to 1024" then you may need to upgrade your Java version or consider shipping an additional dependency with your application.

This issue is caused by validation the JRE is applying to the Diffie Hellman prime number that is received or used by the client during SSH key exchange. The key exchange mechanism is using a prime that is out of the bounds of that supported by the JCE in that its either not a multiple of 64 OR its larger than 1024 bits.

1024 bit restriction is problematic because 1024 bits is now considered vulnerable to attack. See https://weakdh.org/ and https://www.keylength.com/ 

This error comes from the Oracle JCE that ships with the Java runtime. Changes have recently been made to support larger primes, if your looking to use Java 7 you should be using update 91 which raises the validation length to 2048 bits. 

If you need to use Java 6 then you should be using update 105 http://www.oracle.com/technetwork/java/javase/6u105-relnotes-2703317.html for the same reasons.

In order to get the best support for DH primes and to bypass the Oracle limitations I recommend distributing the Bouncycastle JCE with your application. This JCE supports up to 8192 bits for DH primes and if included in the classpath it will be preferred by our implementation without any further changes to your code. 

There are other potential issues around the multiple of 64 with some servers if they are using custom DH primes, its possible to configure the server with bad primes which would result in the same error as you are seeing. If this is the case you should check the servers /etc/ssh/moduli file to ensure the primes are all valid and are multiples of 64