Sensei Logo Sensei Hub

Recipe - Data Protection - Cryptography: Avoid brute forcing: Use sufficiently long key sizes: keyGenerator

Description:
Could lead to brute forcing or other cryptographic weakness
Level:
error
Language:
  • java
Tags:
  • security
  • basic protection set
Documentation

Secure coding practices prescribe to use sufficiently large cryptographic keys.

It is not recommended to use short keys as this is less secure. The recommended key size depends on the algorithm. In general, it is advised to use the maximum size the API allows by default.

Correct code example secret key size
keyGenerator.init(128);
Correct code example keypair size
keypairGenerator.initialize(2048);
Recipe
id: scw:crypto:keygen-missing-init
version: 10
metadata:
  name: 'Data Protection - Cryptography: Avoid brute forcing: Use sufficiently long key sizes: keyGenerator'
  shortDescription: Could lead to brute forcing or other cryptographic weakness
  level: error
  language: java
  newCodeOnly: false
  scwCategory: broken_cryptography:improper_use_of_cryptography_algorithm
  enabled: true
  descriptionFile: Java/Crypto/descriptions/Key_sizes.html
  tags: security;basic protection set
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          stringified: AES
    not:
      followedBy:
        methodcall:
          name: init
    name: getInstance
    declaration:
      type: javax.crypto.KeyGenerator
availableFixes:
- name: Initialize key size to 128
  actions:
  - addMethodCall:
      name: init
      arguments:
      - "128"
      position: first-available-spot