Usage of inadequate encryption strength

• Rule ID: go_gosec_crypto_weak_key_strength
• Languages: go
• Source: weak_key_strength.yml

Description

Your application uses RSA encryption with a key length shorter than the recommended 2048 bits. Keys under 2048 bits are vulnerable because of the increasing power of modern computers, which could break the encryption by factoring the key.

Remediations

• Do generate RSA keys with a minimum of 2048 bits. This meets NIST recommendations and protects against the risk of keys being compromised by advancements in computing power. Keys shorter than 2048 bits do not provide adequate protection against brute-force attacks.

    privateKey, err := rsa.GenerateKey(rand.Reader, 2048)

• Do adhere to industry standards and guidelines for cryptographic practices to ensure the security of your data.

References

• NIST Special Publication 800-57 Part 1

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_weak_key_strength

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_weak_key_strength