ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4426/python/rule.adoc
Arseniy Zaostrovnykh 1f8d533ce2 Fix the double-plus ++ handling in the inline-code
2021-01-27 16:57:09 +01:00

41 lines
2.0 KiB
Plaintext
Raw Blame History

When generating cryptographic keys (or key pairs), it is important to use strong parameters. Key length, for instance, should provides enough entropy against brute-force attacks.
* For ``++RSA++`` and ``++DSA++`` algorithms key size should be at least 2048 bits long
* For ``++ECC++`` (elliptic curve cryptography) algorithms key size should be at least 224 bits long
* For ``++RSA++`` public key exponent should be at least 65537.
This rule raises an issue when an ``++RSA++``, ``++DSA++`` or ``++ECC++`` key-pair generator is initialized using weak parameters.
It supports the following libraries:
* https://github.com/pyca/cryptography[cryptography]
* https://github.com/dlitz/pycrypto[PyCrypto]
* https://github.com/Legrandin/pycryptodome[Cryptodome]
== Noncompliant Code Example
----
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
dsa.generate_private_key(key_size=1024, backend=backend) # Noncompliant
rsa.generate_private_key(public_exponent=999, key_size=2048, backend=backend) # Noncompliant
ec.generate_private_key(curve=ec.SECT163R2, backend=backend) # Noncompliant
----
== Compliant Solution
----
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
dsa.generate_private_key(key_size=2048, backend=backend) # Compliant
rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # Compliant
ec.generate_private_key(curve=ec.SECT409R1, backend=backend) # Compliant
----
== See
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://www.ssi.gouv.fr/uploads/2014/11/RGS_v-2-0_B1.pdf[ANSSI RGSv2] - Référentiel Général de Sécurité version 2
* https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf[NIST FIPS 186-4] - Digital Signature Standard (DSS)
* http://cwe.mitre.org/data/definitions/326.html[MITRE, CWE-326] - Inadequate Encryption Strength
Reference in New Issue View Git Blame Copy Permalink