Use of a weak cryptographic key¶
ID: go/weak-crypto-keyKind: path-problemSecurity severity: 7.5Severity: errorPrecision: highTags: - security - external/cwe/cwe-326Query suites: - go-code-scanning.qls - go-security-extended.qls - go-security-and-quality.qls
Click to see the query in the CodeQL repository
Incorrect uses of encryption algorithms may result in sensitive data exposure, key leakage, broken authentication, insecure session, and spoofing attacks.
Recommendation¶
Ensure that you use a strong key with a recommended bit size. For RSA encryption the minimum size is 2048 bits.
Example¶
The following code uses RSA encryption with insufficient key size.
packagemainimport("crypto/rand""crypto/rsa""fmt")funcmain(){//Generate Private Keypvk,err:=rsa.GenerateKey(rand.Reader,1024)iferr!=nil{fmt.Println(err)}fmt.Println(pvk)}
In the example below, the key size is set to 2048 bits.
packagemainimport("crypto/rand""crypto/rsa""fmt")funcmain(){//Generate Private Keypvk,err:=rsa.GenerateKey(rand.Reader,2048)iferr!=nil{fmt.Println(err)}fmt.Println(pvk)}
References¶
Wikipedia:Cryptographically Strong Algorithms.
Wikipedia:Strong Cryptography Examples.
NIST, FIPS 140 Annex a: Approved Security Functions.
NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
Common Weakness Enumeration:CWE-326.