python.cryptography.security.insufficient-ec-key-size.insufficient-ec-key-size

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,207
Download Count*
LGPL Commons Clause
License

Detected an insufficient curve size for EC. NIST recommends a key size of 224 or higher. For example, use 'ec.SECP256R1'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insufficient-ec-key-size
    patterns:
      - pattern-inside: cryptography.hazmat.primitives.asymmetric.ec.generate_private_key(...)
      - pattern: cryptography.hazmat.primitives.asymmetric.ec.$SIZE
      - metavariable-pattern:
          metavariable: $SIZE
          pattern-either:
            - pattern: SECP192R1
            - pattern: SECT163K1
            - pattern: SECT163R2
      - focus-metavariable: $SIZE
    fix: |
      SECP256R1
    message: Detected an insufficient curve size for EC. NIST recommends a key size
      of 224 or higher. For example, use 'ec.SECP256R1'.
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
      references:
        - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
        - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves
      category: security
      technology:
        - cryptography
      subcategory:
        - audit
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: WARNING

Examples

insufficient-ec-key-size.py

import os
from cryptography.hazmat import backends
from cryptography.hazmat.primitives.asymmetric import ec

# ok: insufficient-ec-key-size
ec.generate_private_key(curve=ec.SECP256K1,
                         backend=backends.default_backend())

# ok: insufficient-ec-key-size
ec.generate_private_key(ec.SECP256K1,
                         backends.default_backend())

# ok: insufficient-ec-key-size
ec.generate_private_key(curve=os.getenv("EC_CURVE"),
                         backend=backends.default_backend())

# ruleid: insufficient-ec-key-size
ec.generate_private_key(curve=ec.SECP192R1,
                         backend=backends.default_backend())

# ruleid: insufficient-ec-key-size
ec.generate_private_key(ec.SECT163K1,
                         backends.default_backend())