62 lines
1.5 KiB
Plaintext
62 lines
1.5 KiB
Plaintext
== How to fix it in pyOpenSSL
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
include::../../common/fix/rsa.adoc[]
|
|
|
|
[source,python,diff-id=4,diff-type=noncompliant]
|
|
----
|
|
from OpenSSL.crypto import PKey, TYPE_RSA
|
|
|
|
key_rsa1024 = PKey()
|
|
key_rsa1024.generate_key(type=TYPE_RSA, bits=1024) # Noncompliant
|
|
----
|
|
|
|
include::../../common/fix/dsa.adoc[]
|
|
|
|
[source,python,diff-id=5,diff-type=noncompliant]
|
|
----
|
|
from OpenSSL.crypto import PKey, TYPE_DSA
|
|
|
|
key_dsa1024 = PKey()
|
|
key_dsa1024.generate_key(type=TYPE_DSA, bits=1024) # Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=4,diff-type=compliant]
|
|
----
|
|
from OpenSSL.crypto import PKey, TYPE_RSA
|
|
|
|
key_rsa1024 = PKey()
|
|
key_rsa1024.generate_key(type=TYPE_RSA, bits=3072)
|
|
----
|
|
|
|
[source,python,diff-id=5,diff-type=compliant]
|
|
----
|
|
from OpenSSL.crypto import PKey, TYPE_DSA
|
|
|
|
key_dsa1024 = PKey()
|
|
key_dsa1024.generate_key(type=TYPE_DSA, bits=3072)
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
As a rule of thumb, use the cryptographic algorithms and mechanisms that are
|
|
considered strong by the cryptography community.
|
|
|
|
The security of the RSA and DSA algorithms depends on the difficulty of attacks
|
|
attempting to solve their underlying mathematical problem.
|
|
|
|
In general, a minimum key size of *2048* bits is recommended for both. It
|
|
provides 112 bits of security. A key length of *3072* or *4096* should be
|
|
preferred when possible.
|
|
|
|
=== Going the extra mile
|
|
|
|
include::../../common/extra-mile/pre-quantum.adoc[]
|