ssl — weak key

Inadequate Encryption Strength Using Weak Keys in SSLContext

Using weak key sizes for cryptographic algorithms like Elliptic Curve can compromise the security of your encryption and digital signatures. Here's a brief overview of the risks associated with weak key sizes for this algorithm:

Elliptic Curve cryptography provides strong security with relatively small key sizes compared to RSA and DSA. However, even in the case of EC, using weak curve parameters or small key sizes can expose you to vulnerabilities. The strength of an EC key depends on the curve's properties and the size of the prime used.

Recommended EC key sizes depend on the curve you select, but for modern applications, curves like NIST P-256 (secp256r1) with a 256-bit key size are considered secure. Larger curves, like NIST P-384 or P-521, can provide even higher security margins.

Example

ssl_context_set_ecdh_curve_prime192v1.py
import ssl


context = ssl.SSLContext()
context.set_ecdh_curve("prime192v1")

Example Output

> precli tests/unit/rules/python/stdlib/ssl/examples/ssl_context_set_ecdh_curve_prime192v1.py
⚠️  Warning on line 5 in tests/unit/rules/python/stdlib/ssl/examples/ssl_context_set_ecdh_curve_prime192v1.py
PY019: Inadequate Encryption Strength
Using 'EC' key sizes less than '224' bits is considered vulnerable to attacks.

Remediation

Its recommended to increase the key size to at least 224 EC algorithms.

ssl_context_set_ecdh_curve_prime192v1.py
import ssl


context = ssl.SSLContext()
context.set_ecdh_curve("prime256v1")

Default Configuration

enabled = true
level = "warning"
ec_key_size_warning = 224
ec_key_size_error = 160

ssl — weak key

Inadequate Encryption Strength Using Weak Keys in SSLContext

Example

Remediation

Default Configuration

See also