Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4426

Cryptographic keys should not be too short

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Use a key length of at least 'xxx' bits
    • Highlighting:
      Hide

      KeyGenerator.init() call or KeyPairGenerator.initialize() call

      Show
      KeyGenerator.init() call or KeyPairGenerator.initialize() call
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C, C++
    • Covered Languages:
      C#, Java, PHP
    • Irrelevant for Languages:
      ABAP, Cobol, CSS, Flex, HTML, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      2min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-326
    • OWASP:
      A3
    • FindSecBugs:
      BLOWFISH_KEY_SIZE, RSA_KEY_SIZE
    • Fortify:
      weak_encryption_insufficient_key_size

      Description

      When generating cryptographic keys (or key pairs), it is important to use a key length that provides enough entropy against brute-force attacks. For the Blowfish algorithm the key should be at least 128 bits long, while for the RSA algorithm it should be at least 2048 bits long.

      This rule raises an issue when a Blowfish key generator or RSA key-pair generator is initialized with too small a length parameter.

      Noncompliant Code Example

      KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
      keyGen.init(64); // Noncompliant
      
      KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
      keyPairGen.initialize(512); // Noncompliant
      

      Compliant Solution

      KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
      keyGen.init(128);
      
      KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
      keyPairGen.initialize(2048);
      

      See

        Attachments

          Issue Links

          1.
          C# RSPEC-4429 Language-Specification Active Unassigned
          2.
          C-Family RSPEC-4430 Language-Specification Active Unassigned
          3.
          PHP RSPEC-4703 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jeanchristophe.collet Jean-Christophe Collet (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: