Use of a cryptographic algorithm with insufficient key size¶
ID: cpp/insufficient-key-sizeKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-326Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Using cryptographic algorithms with a small key size can leave data vulnerable to being decrypted.
Many cryptographic algorithms provided by cryptography libraries can be configured with key sizes that are vulnerable to brute force attacks. Using such a key size means that an attacker may be able to easily decrypt the encrypted data.
Recommendation¶
Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048.
Example¶
The following code shows an example of using theopenssl library to generate an RSA key. When creating a key, you must specify which key size to use. The first example uses 1024 bits, which is not considered sufficient. The second example uses 2048 bits, which is currently considered sufficient.
voidencrypt_with_openssl(EVP_PKEY_CTX*ctx){// BAD: only 1024 bits for an RSA keyEVP_PKEY_CTX_set_rsa_keygen_bits(ctx,1024);// GOOD: 2048 bits for an RSA keyEVP_PKEY_CTX_set_rsa_keygen_bits(ctx,2048);}
References¶
NIST, FIPS 140 Annex a: Approved Security Functions.
NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Common Weakness Enumeration:CWE-326.