Inadequate encryption strength
Description
The application was found using an insufficient curve size for the Elliptical Cryptography (EC) asymmetric algorithm. NIST recommends using a key size of 224 or greater.
Examples
Insecure Code
python
ec.generate_private_key(ec.SECP192R1())Secure Code
python
ec.generate_private_key(ec.SECP384R1())Remediation
Replace the current key size with `ec.SECP384R1`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0121 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-326 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | elliptical cryptography, insufficient curve size |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |