Inadequate encryption strength due to small key size for Blowfish

Description

The Blowfish encryption algorithm uses a small key size, which may make the ciphertext vulnerable to birthday attacks. It is recommended to use a larger key size, such as 256, and consider using AES instead of Blowfish.

Examples

Insecure Code

java

KeyGenerator keyGenerator = KeyGenerator.getInstance("Blowfish");
keyGenerator.init(64);

Secure Code

java

KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
keyGenerator.init(256);

Remediation

Pass a value such as 256 to the `KeyGenerator.init(keySize)` method and consider using AES as the instance of `KeyGenerator` instead of Blowfish.

Rule Details

Field	Value
ID	CODE-0685
Category	Crypto
Severity	MEDIUM
CWE	CWE-326
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	encryption, key size, Blowfish, AES
OWASP	A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Inadequate encryption strength due to small key size for Blowfish

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Inadequate encryption strength due to small key size for Blowfish ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Inadequate encryption strength due to small key size for Blowfish

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details