Skip to content

crypto — weak key

Inadequate Encryption Strength Using Weak Keys in crypto Package

Using weak key sizes for cryptographic algorithms like RSA and DSA can compromise the security of your encryption and digital signatures. Here's a brief overview of the risks associated with weak key sizes for these algorithms:

RSA (Rivest-Shamir-Adleman): RSA is widely used for both encryption and digital signatures. Weak key sizes in RSA can be vulnerable to factorization attacks, such as the famous RSA-129 challenge, which was factored in 1994 after 17 years of effort. Using small key sizes makes it easier for attackers to factor the modulus and recover the private key.

It's generally recommended to use RSA key sizes of 2048 bits or more for security in the present day, with 3072 bits or higher being increasingly preferred for long-term security.

DSA (Digital Signature Algorithm): DSA is used for digital signatures and relies on the discrete logarithm problem. Using weak key sizes in DSA can make it susceptible to attacks that involve solving the discrete logarithm problem, like the GNFS (General Number Field Sieve) algorithm.

For DSA, key sizes of 2048 bits or more are recommended for modern security. Note that DSA is not as commonly used as RSA or ECC for new applications, and ECDSA (Elliptic Curve Digital Signature Algorithm) is often preferred due to its efficiency and strong security properties.

Example

crypto_weak_key_rsa_1024.go
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
package main

import (
    "crypto/rand"
    "crypto/rsa"
    "crypto/x509"
    "encoding/pem"
    "log"
)

func main() {
    // Generate the RSA key
    privateKey, err := rsa.GenerateKey(rand.Reader, 1024)
    if err != nil {
        log.Fatalf("Failed to generate key: %v", err)
    }

    // Extract the public key from the private key
    publicKey := &privateKey.PublicKey

    // Encode the public key to PEM format
    publicKeyBytes, err := x509.MarshalPKIXPublicKey(publicKey)
    if err != nil {
        log.Fatalf("Failed to marshal public key: %v", err)
    }

    publicKeyPEM := pem.EncodeToMemory(&pem.Block{
        Type:  "RSA PUBLIC KEY",
        Bytes: publicKeyBytes,
    })

    // Print the public key
    log.Println(string(publicKeyPEM))
}
Example Output 
> precli tests/unit/rules/go/stdlib/crypto/examples/crypto_weak_key_rsa_1024.go
⛔️ Error on line 13 in tests/unit/rules/go/stdlib/crypto/examples/crypto_weak_key_rsa_1024.go
GO003: Inadequate Encryption Strength
Using 'RSA' key sizes less than '2048' bits is considered vulnerable to attacks.

Remediation

Its recommended to increase the key size to at least 2048 for DSA and RSA algorithms.

crypto_weak_key_rsa_1024.go
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
package main

import (
    "crypto/rand"
    "crypto/rsa"
    "crypto/x509"
    "encoding/pem"
    "log"
)

func main() {
    // Generate the RSA key
    privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
    if err != nil {
        log.Fatalf("Failed to generate key: %v", err)
    }

    // Extract the public key from the private key
    publicKey := &privateKey.PublicKey

    // Encode the public key to PEM format
    publicKeyBytes, err := x509.MarshalPKIXPublicKey(publicKey)
    if err != nil {
        log.Fatalf("Failed to marshal public key: %v", err)
    }

    publicKeyPEM := pem.EncodeToMemory(&pem.Block{
        Type:  "RSA PUBLIC KEY",
        Bytes: publicKeyBytes,
    })

    // Print the public key
    log.Println(string(publicKeyPEM))
}

Default Configuration

enabled = true
level = "warning"
dsa_key_size_error = 1024
rsa_key_size_warning = 2048
rsa_key_size_error = 1024

See also

Info

New in version 0.2.1