Inadequate encryption strength

• Rule ID: go_gosec_crypto_weak_key_strength
• Languages: go
• Source: weak_key_strength.yml

Description

The application generates an RSA key with a bit length that is shorter than the current recommended minimum of 2048 bits. Keys shorter than 2048 bits are considered insecure due to advancements in computational power which could potentially allow them to be factored, thereby breaking the encryption.

Remediation

To ensure the security of RSA keys, follow these guidelines:

✅ Use Sufficient Key Length

Generate RSA keys with a minimum length of 2048 bits to align with NIST recommendations and safeguard against future advancements in computing power that could compromise keys of shorter lengths.

// Example of generating a secure RSA key with 2048 bits
import (
  "crypto/rand"
  "crypto/rsa"
  "log"
)

func generateSecureKey() {
  // Use at least 2048 bits for secure RSA keys
  privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
  if err != nil {
    log.Fatalf("Error generating RSA key: %v", err)
  }
  // privateKey can now be used for secure cryptographic operations
}

❌ Avoid Short Keys

Do not use RSA keys that are less than 2048 bits in length, as they do not offer sufficient protection against brute-force attacks.

❌ Don't Ignore Industry Standards

Always follow industry standards and guidelines for cryptographic practices to maintain the integrity and confidentiality of data.

Resources

• NIST Special Publication 800-57 Part 1

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_weak_key_strength

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_weak_key_strength