62 lines
2.3 KiB
Plaintext
62 lines
2.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
When generating cryptographic keys (or key pairs), it is important to use strong parameters. Key length, for instance, should provide enough entropy against brute-force attacks.
|
|
|
|
|
|
* For ``++RSA++`` and ``++DSA++`` algorithms key size should be at least 2048 bits long
|
|
* For ``++ECC++`` (elliptic curve cryptography) algorithms key size should be at least 224 bits long
|
|
* For ``++RSA++`` public key exponent should be at least 65537.
|
|
|
|
This rule raises an issue when a ``++RSA++``, ``++DSA++`` or ``++ECC++`` key-pair generator is initialized using weak parameters.
|
|
|
|
It supports the following libraries:
|
|
|
|
* https://github.com/pyca/cryptography[cryptography]
|
|
* https://github.com/dlitz/pycrypto[PyCrypto]
|
|
* https://github.com/Legrandin/pycryptodome[Cryptodome]
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,python]
|
|
----
|
|
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
|
|
|
|
dsa.generate_private_key(key_size=1024, backend=backend) # Noncompliant
|
|
rsa.generate_private_key(public_exponent=999, key_size=2048, backend=backend) # Noncompliant
|
|
ec.generate_private_key(curve=ec.SECT163R2, backend=backend) # Noncompliant
|
|
----
|
|
|
|
=== Compliant solution
|
|
|
|
[source,python]
|
|
----
|
|
from cryptography.hazmat.primitives.asymmetric import rsa, ec, dsa
|
|
|
|
dsa.generate_private_key(key_size=2048, backend=backend) # Compliant
|
|
rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=backend) # Compliant
|
|
ec.generate_private_key(curve=ec.SECT409R1, backend=backend) # Compliant
|
|
----
|
|
|
|
== Resources
|
|
|
|
* https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[OWASP Top 10 2021 Category A2] - Cryptographic Failures
|
|
* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure
|
|
* https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[OWASP Top 10 2017 Category A6] - Security Misconfiguration
|
|
* https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf[NIST FIPS 186-4] - Digital Signature Standard (DSS)
|
|
* https://cwe.mitre.org/data/definitions/326[MITRE, CWE-326] - Inadequate Encryption Strength
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|