CodeQL documentation

Use of weak cryptographic key

ID: py/weak-crypto-key
Kind: problem
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-326
Query suites:
   - python-code-scanning.qls
   - python-security-extended.qls
   - python-security-and-quality.qls

Click to see the query in the CodeQL repository

Modern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.

The three main asymmetric key algorithms currently in use are Rivest–Shamir–Adleman (RSA) cryptography, Digital Signature Algorithm (DSA), and Elliptic-curve cryptography (ECC). With current technology, key sizes of 2048 bits for RSA and DSA, or 224 bits for ECC, are regarded as unbreakable.

Recommendation

Increase the key size to the recommended amount or larger. For RSA or DSA this is at least 2048 bits, for ECC this is at least 224 bits.

References

  • © GitHub, Inc.
  • Terms
  • Privacy