• CodeQL query help documentation »
• CodeQL query help for Python »

Use of weak cryptographic key

ID: py/weak-crypto-key
Kind: problem
Security severity: 7.5
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-326
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Modern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.

The three main asymmetric key algorithms currently in use are Rivest–Shamir–Adleman (RSA) cryptography, Digital Signature Algorithm (DSA), and Elliptic-curve cryptography (ECC). With current technology, key sizes of 2048 bits for RSA and DSA, or 256 bits for ECC, are regarded as unbreakable.

Recommendation

Increase the key size to the recommended amount or larger. For RSA or DSA this is at least 2048 bits, for ECC this is at least 256 bits.

References

• Wikipedia: Digital Signature Algorithm.

• Wikipedia: RSA cryptosystem.

• Wikipedia: Elliptic-curve cryptography.

• Python cryptography module: cryptography.io.

• NIST: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.

• Common Weakness Enumeration: CWE-326.

• © GitHub, Inc.
• Terms
• Privacy