ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S4426/python/rule.adoc
Andrea Guarino cbd4a1bc85
Remove link in french (#1580)
2023-02-16 16:43:19 +01:00

60 lines
2.3 KiB
Plaintext
Raw Blame History

When generating cryptographic keys (or key pairs), it is important to use strong parameters. Key length, for instance, should provide enough entropy against brute-force attacks.
* For ``++RSA++`` and ``++DSA++`` algorithms key size should be at least 2048 bits long
* For ``++ECC++`` (elliptic curve cryptography) algorithms key size should be at least 224 bits long
* For ``++RSA++`` public key exponent should be at least 65537.
This rule raises an issue when a ``++RSA++``, ``++DSA++`` or ``++ECC++`` key-pair generator is initialized using weak parameters.
It supports the following libraries:
* https://github.com/pyca/cryptography[cryptography]
* https://github.com/dlitz/pycrypto[PyCrypto]
* https://github.com/Legrandin/pycryptodome[Cryptodome]
== Noncompliant Code Example
[source,python]
----
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
dsa.generate_private_key(key_size=1024, backend=backend) # Noncompliant
rsa.generate_private_key(public_exponent=999, key_size=2048, backend=backend) # Noncompliant
ec.generate_private_key(curve=ec.SECT163R2, backend=backend) # Noncompliant
----
== Compliant Solution
[source,python]
----
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
dsa.generate_private_key(key_size=2048, backend=backend) # Compliant
rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # Compliant
ec.generate_private_key(curve=ec.SECT409R1, backend=backend) # Compliant
----
== See
* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
* https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf[NIST FIPS 186-4] - Digital Signature Standard (DSS)
* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink