← 返回首页
Use of a cryptographic algorithm with insufficient key size — CodeQL query help documentation CodeQL docs
CodeQL documentation
CodeQL resources

Use of a cryptographic algorithm with insufficient key size

ID: java/insufficient-key-size Kind: path-problem Security severity: 7.5 Severity: warning Precision: high Tags: - security - external/cwe/cwe-326 Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls

Click to see the query in the CodeQL repository

Modern encryption relies on the computational infeasibility of breaking a cipher and decoding its message without the key. As computational power increases, the ability to break ciphers grows, and key sizes need to become larger as a result. Cryptographic algorithms that use too small of a key size are vulnerable to brute force attacks, which can reveal sensitive data.

Recommendation

Use a key of the recommended size or larger. The key size should be at least 128 bits for AES encryption, 256 bits for elliptic-curve cryptography (ECC), and 2048 bits for RSA, DSA, or DH encryption.

Example

The following code uses cryptographic algorithms with insufficient key sizes.

KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA"); keyPairGen1.initialize(1024); // BAD: Key size is less than 2048 KeyPairGenerator keyPairGen2 = KeyPairGenerator.getInstance("DSA"); keyPairGen2.initialize(1024); // BAD: Key size is less than 2048 KeyPairGenerator keyPairGen3 = KeyPairGenerator.getInstance("DH"); keyPairGen3.initialize(1024); // BAD: Key size is less than 2048 KeyPairGenerator keyPairGen4 = KeyPairGenerator.getInstance("EC"); ECGenParameterSpec ecSpec = new ECGenParameterSpec("secp112r1"); // BAD: Key size is less than 256 keyPairGen4.initialize(ecSpec); KeyGenerator keyGen = KeyGenerator.getInstance("AES"); keyGen.init(64); // BAD: Key size is less than 128

To fix the code, change the key sizes to be the recommended size or larger for each algorithm.

References