Inadequate RSA Key Size
Description
The RSA key size is insufficient by NIST standards. It is recommended to use a key length of 2048 or higher. Smaller key sizes are more susceptible to brute-force attacks.
Examples
Insecure Code
ruby
OpenSSL::PKey::RSA.new(1024)Secure Code
ruby
OpenSSL::PKey::RSA.new(2048)Remediation
Generate RSA keys with a size of 2048 bits or more.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0520 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-326 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | encryption, rsa |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |
References
- https://github.com/semgrep/semgrep-rules/blob/develop/ruby/lang/security/insufficient-rsa-key-size.yaml
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf