B505.md

Pattern: Use of weak cryptographic key

Issue: -

Description

As computational power increases, so does the ability to break ciphers with smaller key lengths. The recommended key length size for RSA and DSA algorithms is 2048 and higher. 1024 bits and below are now considered breakable. EC key length sizes are recommended to be 224 and higher with 160 and below considered breakable. This rule checks for use of any key less than those limits.

Example of insecure code:

from cryptography.hazmat import backends
from cryptography.hazmat.primitives.asymmetric import dsa

dsa.generate_private_key(key_size=1024, backend=backends.default_backend())

Example of secure code:

from cryptography.hazmat import backends
from cryptography.hazmat.primitives.asymmetric import dsa

dsa.generate_private_key(key_size=2048, backend=backends.default_backend())

Further Reading

• NIST - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
• Bandit - Use Strong and Established Cryptographic Elements
• Bandit - B505: weak_cryptographic_key