Rule Definition
The security level of an encryption scheme is directly proportional to the size of its key.
Key sizes should be long enough that brute force attacks become unfeasible, but short enough to keep computational feasibility in mind.
Remediation
The current cryptography guidelines suggest that:
For asymmetric encryption ( RSA), the recommanded key size should be at least 2048 bits.
For Symmetric Algorithms, (AES), the recommanded key size should be at least 256 bits.
Violation Code Sample
Sample with AES
KeyGenerator keygen = KeyGenerator.getInstance("AES") ; // key generator to be used with AES algorithm.
keygen.init(128) ; // Key size is specified here.
byte[] key = keygen.generateKey().getEncoded();
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
___________________________________________________________
Sample for RSA
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(1024); // key size specified here.
KeyPair pair = keyGen.generateKeyPair();
___________________________________________________________
Sample for PBKDF2
// Should be as long and as many special characters as possible
String user_entered_password = sys.args[0] ;
// salt value
byte[] salt = new byte[128] ; // Should be atleast 64 bits
SecureRandom secRandom = new SecureRandom() ;
secRandom.nextBytes(salt) ; // self-seeded randomizer for salt
// iteration count
int iterCount = 12288 ;
int derivedKeyLength = 128 ; // Should be atleast longer than 112 bits. Depends on Key size of algorithm.
KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterCount, derivedKeyLength * 8);
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
Fixed Code Sample
Remediation for AES
KeyGenerator keygen = KeyGenerator.getInstance("AES") ; // key generator to be used with AES algorithm.
keygen.init(256) ; // Key size is specified here.
byte[] key = keygen.generateKey().getEncoded();
SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
_______________________________________________________________
Remediation for RSA
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(4096); // key size specified here.
KeyPair pair = keyGen.generateKeyPair();
_______________________________________________________________
Sample for PBKDF2
// Should be as long and as many special characters as possible
String user_entered_password = sys.args[0] ;
// salt value
byte[] salt = new byte[128] ; // Should be atleast 64 bits
SecureRandom secRandom = new SecureRandom() ;
secRandom.nextBytes(salt) ; // self-seeded randomizer for salt
// iteration count
int iterCount = 12288 ;
int derivedKeyLength = 256 ; // Should be atleast longer than 112 bits. Depends on Key size of algorithm.
KeySpec spec = new PBEKeySpec(password.toCharArray(), salt, iterCount, derivedKeyLength * 8);
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
Reference
https://www.owasp.org/index.php/Mobile_Top_10_2016-M5-Insufficient_Cryptography
https://cwe.mitre.org/data/definitions/327.html
Related Technologies
Technical Criterion
PCI-DSS4-Requirement-4.2.1 - Strong cryptography and security protocols are implemented
About CAST Appmarq
CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.