Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4426 Cryptographic keys should not be too short
  3. RSPEC-5438

Python: Cryptographic key generation should be based on strong parameters

    Details

    • Type: Language-Specification
    • Status: Active
    • Resolution: Unresolved
    • Labels:
      None
    • Message:
      Hide
      Use a key length of at least 'xxx' bits
      Use a public key exponent of at least 65537
      Show
      Use a key length of at least 'xxx' bits Use a public key exponent of at least 65537
    • Impact:
      Unknown 'null' severity
    • Likelihood:
      Unknown 'null' severity

      Description

      When generating cryptographic keys (or key pairs), it is important to use strong parameters. Key length, for instance, should provides enough entropy against brute-force attacks.

      • For RSA and DSA algorithms key size should be at least 2048 bits long
      • For ECC (elliptic curve cryptography) algorithms key size should be at least 224 bits long
      • For RSA public key exponent should be at least 65537.

      This rule raises an issue when an RSA, DSA or ECC key-pair generator is initialized using weak parameters.
      It supports the following libraries:

      Noncompliant Code Example

      from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
      
      dsa.generate_private_key(key_size=1024, backend=backend) # Noncompliant
      rsa.generate_private_key(public_exponent=999 key_size=2048, backend=backend) # Noncompliant
      ec.generate_private_key(curve=ec.SECT163R2, backend=backend)  # Noncompliant
      

      Compliant Solution

      from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
      
      dsa.generate_private_key(key_size=2048, backend=backend) # Compliant
      rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # Compliant
      ec.generate_private_key(curve=ec.SECT409R1, backend=backend) # Compliant
      

      See

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              pierre-loup.tristant Pierre-Loup Tristant
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: