java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size

profile photo of returntocorpreturntocorp
Author
5,552
Download Count*
LGPL Commons Clause
License

Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: blowfish-insufficient-key-size
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - audit
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: Using less than 128 bits for Blowfish is considered insecure. Use 128
      bits or more, or switch to use AES instead.
    severity: WARNING
    languages:
      - java
    patterns:
      - pattern: |
          $KEYGEN = KeyGenerator.getInstance("Blowfish");
          ...
          $KEYGEN.init($SIZE);
      - metavariable-comparison:
          metavariable: $SIZE
          comparison: $SIZE < 128

Examples

blowfish-insufficient-key-size.java

import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

// cf. https://find-sec-bugs.github.io/bugs.htm#BLOWFISH_KEY_SIZE
public class Cls {

    public void unsafeKeySize() {
        // ruleid: blowfish-insufficient-key-size
        KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
        keyGen.init(64);
    }

    public void safeKeySize() {
        // ok: blowfish-insufficient-key-size
        KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
        keyGen.init(128);
    }

    public void superSafeKeySize() {
        // ok: blowfish-insufficient-key-size
        KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish");
        keyGen.init(448);
    }
}