python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size

profile photo of semgrepsemgrep
Author
6,591
Download Count*
LGPL Commons Clause
License

Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insufficient-rsa-key-size
    patterns:
      - pattern-either:
          - pattern: Crypto.PublicKey.RSA.generate(..., bits=$SIZE, ...)
          - pattern: Crypto.PublicKey.RSA.generate($SIZE, ...)
          - pattern: Cryptodome.PublicKey.RSA.generate(..., bits=$SIZE, ...)
          - pattern: Cryptodome.PublicKey.RSA.generate($SIZE, ...)
      - metavariable-comparison:
          metavariable: $SIZE
          comparison: $SIZE < 2048
    message: Detected an insufficient key size for RSA. NIST recommends a key size
      of 2048 or higher.
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
      references:
        - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
      category: security
      technology:
        - pycryptodome
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - python
    severity: WARNING

Examples

insufficient-rsa-key-size.py

# cf. https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/examples/weak_cryptographic_key_sizes.py

import os
from Crypto.PublicKey import RSA as pycrypto_rsa
from Cryptodome.PublicKey import RSA as pycryptodomex_rsa

# ok:insufficient-rsa-key-size
pycrypto_rsa.generate(bits=2048)
# ok:insufficient-rsa-key-size
pycryptodomex_rsa.generate(bits=2048)

# ok:insufficient-rsa-key-size
pycrypto_rsa.generate(4096)
# ok:insufficient-rsa-key-size
pycryptodomex_rsa.generate(4096)

# ruleid:insufficient-rsa-key-size
pycrypto_rsa.generate(bits=1024)
# ruleid:insufficient-rsa-key-size
pycryptodomex_rsa.generate(bits=1024)

# ruleid:insufficient-rsa-key-size
pycrypto_rsa.generate(512)
# ruleid:insufficient-rsa-key-size
pycryptodomex_rsa.generate(512)

pycrypto_rsa.generate(os.getenv("KEY_SIZE"))
pycryptodomex_rsa.generate(os.getenv("KEY_SIZE"))