Inadequate encryption strength

Description

The application is generating an RSA key that is less than the recommended 2048 bits. The National Institute of Standards and Technology (NIST) deprecated signing Digital Certificates that contained RSA Public Keys of 1024 bits in December 2010.

Examples

Insecure Code

java

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(1024);

Secure Code

java

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("Ed25519"); return keyPairGenerator.generateKeyPair();

Remediation

Use a key size greater than 2048 when generating RSA keys or consider upgrading to the newer asymmetric algorithm such as Ed25519.

Rule Details

Field	Value
ID	CODE-0693
Category	Crypto
Severity	MEDIUM
CWE	CWE-326
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	inadequate encryption strength, RSA key size
OWASP	A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Inadequate encryption strength

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

Inadequate encryption strength ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

Inadequate encryption strength

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details