• CodeQL query help documentation »
• CodeQL query help for C and C++ »

Use of a cryptographic algorithm with insufficient key size

ID: cpp/insufficient-key-size
Kind: path-problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-326
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

Using cryptographic algorithms with a small key size can leave data vulnerable to being decrypted.

Many cryptographic algorithms provided by cryptography libraries can be configured with key sizes that are vulnerable to brute force attacks. Using such a key size means that an attacker may be able to easily decrypt the encrypted data.

Recommendation

Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048.

Example

The following code shows an example of using the openssl library to generate an RSA key. When creating a key, you must specify which key size to use. The first example uses 1024 bits, which is not considered sufficient. The second example uses 2048 bits, which is currently considered sufficient.

void encrypt_with_openssl(EVP_PKEY_CTX *ctx) {

  // BAD: only 1024 bits for an RSA key
  EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024);

  // GOOD: 2048 bits for an RSA key
  EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048);
}

References

• NIST, FIPS 140 Annex a: Approved Security Functions.

• NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.

• Common Weakness Enumeration: CWE-326.

• © GitHub, Inc.
• Terms
• Privacy