Inadequate encryption strength
Description
The application is generating an RSA key that is less than the recommended 2048 bits. The National Institute of Standards and Technology (NIST) deprecated signing Digital Certificates that contained RSA Public Keys of 1024 bits in December 2010. While 1024-bit RSA keys have not been factored yet, advances in compute may make it possible in the near future.
Examples
Insecure Code
go
key, err := rsa.GenerateKey(rand.Reader, 1024)Secure Code
go
key, err := rsa.GenerateKey(rand.Reader, 2048)Remediation
To generate an RSA key of 2048 pass the number of bits as the second parameter to the `rsa.GenerateKey` function
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0778 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-326 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | encryption, rsa |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |