ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4426/common/fix/fix.adoc
github-actions[bot] e3a3a43170
Create rule S4426: Cryptographic keys should be robust (#4659) 
* Add go to rule S4426

* Add description for S4426 for Go

---------

Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com>
Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com>
Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
2025-02-13 14:25:30 +01:00

45 lines
1.9 KiB
Plaintext
Raw Blame History

As a rule of thumb, use the cryptographic algorithms and mechanisms that are
considered strong by the cryptography community.
The appropriate choices are the following.
==== RSA (Rivest-Shamir-Adleman) and DSA (Digital Signature Algorithm)
The security of these algorithms depends on the difficulty of attacks
attempting to solve their underlying mathematical problem.
In general, a minimum key size of *2048* bits is recommended for both. It
provides 112 bits of security. A key length of *3072* or *4096* should be
preferred when possible.
==== AES (Advanced Encryption Standard)
AES supports three key sizes: 128 bits, 192 bits and 256 bits. The security of
the AES algorithm is based on the computational complexity of trying all
possible keys. +
A larger key size increases the number of possible keys and makes exhaustive
search attacks computationally infeasible. Therefore, a 256-bit key provides a
higher level of security than a 128-bit or 192-bit key.
Currently, a minimum key size of *128 bits* is recommended for AES.
==== Elliptic Curve Cryptography (ECC)
Elliptic curve cryptography is also used in various algorithms, such as ECDSA,
ECDH, or ECMQV. The length of keys generated with elliptic curve algorithms is mentioned
directly in their names. For example, `secp256k1` generates a 256-bits long
private key.
Currently, a minimum key size of *224 bits* is recommended for EC-based
algorithms.
Additionally, some curves that theoretically provide sufficiently long keys are
still discouraged. This can be because of a flaw in the curve parameters, a bad
overall design, or poor performance. It is generally advised to use a
NIST-approved elliptic curve wherever possible. Such curves currently include:
* NIST P curves with a size of at least 224 bits, e.g. secp256r1.
* Curve25519, generally known as ed25519 or x25519 depending on its application.
* Curve448.
* Brainpool curves with a size of at least 224 bits, e.g. brainpoolP224r1
Reference in New Issue View Git Blame Copy Permalink