Use of weak cryptographic key¶
ID: py/weak-crypto-key Kind: problem Severity: error Precision: high Tags: - security - external/cwe/cwe-326 Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Click to see the query in the CodeQL repository
Modern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.
The three main asymmetric key algorithms currently in use are Rivest–Shamir–Adleman (RSA) cryptography, Digital Signature Algorithm (DSA), and Elliptic-curve cryptography (ECC). With current technology, key sizes of 2048 bits for RSA and DSA, or 256 bits for ECC, are regarded as unbreakable.
Increase the key size to the recommended amount or larger. For RSA or DSA this is at least 2048 bits, for ECC this is at least 256 bits.
Wikipedia: Digital Signature Algorithm.
Wikipedia: RSA cryptosystem.
Wikipedia: Elliptic-curve cryptography.
Python cryptography module: cryptography.io.
NIST: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Common Weakness Enumeration: CWE-326.