python.pycryptodome.security.insufficient-rsa-key-size.insufficient-rsa-key-size
semgrep
Author
6,591
Download Count*
License
Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.
Run Locally
Run in CI
Defintion
rules:
- id: insufficient-rsa-key-size
patterns:
- pattern-either:
- pattern: Crypto.PublicKey.RSA.generate(..., bits=$SIZE, ...)
- pattern: Crypto.PublicKey.RSA.generate($SIZE, ...)
- pattern: Cryptodome.PublicKey.RSA.generate(..., bits=$SIZE, ...)
- pattern: Cryptodome.PublicKey.RSA.generate($SIZE, ...)
- metavariable-comparison:
metavariable: $SIZE
comparison: $SIZE < 2048
message: Detected an insufficient key size for RSA. NIST recommends a key size
of 2048 or higher.
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
references:
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
category: security
technology:
- pycryptodome
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- python
severity: WARNING
Examples
insufficient-rsa-key-size.py
# cf. https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/examples/weak_cryptographic_key_sizes.py
import os
from Crypto.PublicKey import RSA as pycrypto_rsa
from Cryptodome.PublicKey import RSA as pycryptodomex_rsa
# ok:insufficient-rsa-key-size
pycrypto_rsa.generate(bits=2048)
# ok:insufficient-rsa-key-size
pycryptodomex_rsa.generate(bits=2048)
# ok:insufficient-rsa-key-size
pycrypto_rsa.generate(4096)
# ok:insufficient-rsa-key-size
pycryptodomex_rsa.generate(4096)
# ruleid:insufficient-rsa-key-size
pycrypto_rsa.generate(bits=1024)
# ruleid:insufficient-rsa-key-size
pycryptodomex_rsa.generate(bits=1024)
# ruleid:insufficient-rsa-key-size
pycrypto_rsa.generate(512)
# ruleid:insufficient-rsa-key-size
pycryptodomex_rsa.generate(512)
pycrypto_rsa.generate(os.getenv("KEY_SIZE"))
pycryptodomex_rsa.generate(os.getenv("KEY_SIZE"))
Short Link: https://sg.run/PprY