Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageRSA keys must be at least 2048 bits longJAVA-S1014
Critical
Security a05, a02, cwe-326, security, owasp-top-10
This code creates an RSA key pair with an insecure key size. This could reduce the security of the generated keys, allowing malicious actors to easily break encryption.
Bad Practice
Using a key size less than 2048 bits (or 1024 for legacy applications alone) is insecure. As per the latest NIST advisory on good key lengths:
| Digital Signature Verification | RSA: 1024 <= len(n) < 2048 | Legacy-use | | Digital Signature Verification | RSA: len(n) >= 2048 | Acceptable |
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(512); // Insecure.
Recommended
Always use a key size of at least 2048 bits to ensure proper security of your application.
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(2048);
References
- FindSecBugs - RSA_KEY_SIZE
- NIST - Latest publication on key management
- NIST - Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf)
- CWE-326 - Inadequate Encryption Strength
- OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
- OWASP Top Ten (2021) - Category A02 - Cryptographic Failures