Skip to content

fix: Use of a weak cryptographic key #57478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
odaysec wants to merge 1 commit into from
Closed

fix: Use of a weak cryptographic key #57478

odaysec wants to merge 1 commit into from

Conversation

@odaysec
Copy link

@odaysec odaysec commented Mar 15, 2025

node/benchmark/crypto/keygen.js

Lines 45 to 48 in 72aa2ea

generateKeyPairSync('dsa', {
modulusLength: 1024,
divisorLength: 160,
});

Modern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.

References

RSA
AES
NodeJS
Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
Key size
CWE-326

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Mar 15, 2025

Review requested:

  • @nodejs/performance

@nodejs-github-bot nodejs-github-bot added benchmark Issues and PRs related to the benchmark subsystem. crypto Issues and PRs related to the crypto subsystem. labels Mar 15, 2025
@aduh95
Copy link
Contributor

aduh95 commented Mar 15, 2025

Does it matter for a benchmark though?

mcollina
mcollina reviewed Mar 15, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this matter at all.

However an argument can be made that it represents a more real benchmark.

@tniessen
Copy link
Member

tniessen commented Mar 18, 2025

It does not matter, except that OpenSSL might at some point reject these parameters.

On a side note, neither DSA nor RSA are particularly future-proof algorithms, and at the same time, both have slow key generation, so benchmarking only these two seems like an odd choice.

@odaysec odaysec closed this by deleting the head repository Sep 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina left review comments

Assignees

No one assigned

Labels

benchmark Issues and PRs related to the benchmark subsystem. crypto Issues and PRs related to the crypto subsystem.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@odaysec @nodejs-github-bot @aduh95 @tniessen @mcollina