Cryptographic key generation must use strong key sizes
ID: kotlin-security/ensure-strong-keysizes
Language: Kotlin
Severity: Error
Category: Security
CWE: 326
Description
This rule enforces the use of strong key sizes in cryptographic key generation. Key size is a critical factor in the security of a cryptographic system. The larger the key size, the harder it is for an attacker to break the encryption. Using weak key sizes can expose sensitive data to attackers and lead to a compromise of the system.
To adhere to this rule, always use recommended key sizes for the cryptographic algorithm in use. For RSA, use a minimum key size of 2048 bits. For AES, use a minimum key size of 128 bits. For elliptic curve cryptography (EC), use a NIST approved curve such as ‘secp256r1’. Avoid using deprecated or weak key sizes because they provide less security.
Non-Compliant Code Examples
// Weak RSA key size
val keyGen = KeyPairGenerator.getInstance("RSA")
keyGen.initialize(1024) // Noncompliant: too weak
// Weak AES key size
val aesGen = KeyGenerator.getInstance("AES")
aesGen.initialize(64) // Noncompliant: too weak
// Weak EC curve
val ecGen = KeyPairGenerator.getInstance("EC")
val params = ECGenParameterSpec("secp112r1") // Noncompliant: too weak
ecGen.initialize(params)
Compliant Code Examples
// Strong RSA key size
val keyGen = KeyPairGenerator.getInstance("RSA")
keyGen.initialize(2048) // Minimum recommended
// or keyGen.initialize(3072) // Preferred
// Strong AES key size
val aesGen = KeyGenerator.getInstance("AES")
aesGen.initialize(128) // Minimum recommended
// or aesGen.initialize(256) // Preferred
// Strong EC curve
val ecGen = KeyPairGenerator.getInstance("EC")
val params = ECGenParameterSpec("secp256r1") // NIST approved
ecGen.initialize(params)
