Usage of small key size with Blowfish encryption

• Rule ID: java_lang_blowfish_key_size
• Languages: java
• Source: blowfish_key_size.yml

Description

Using Blowfish encryption with a small key size (128 bytes or less) makes your data susceptible to birthday attacks. This vulnerability arises because smaller key sizes don't provide enough complexity to secure the encrypted data effectively. It is recommended to specify a larger value, such as 256, instead.

Remediations

• Do increase the key size when using Blowfish encryption. Specifically, set the key size to 256 or more using the KeyGenerator.init(keySize) method. This adjustment significantly improves the security of the encryption.

  KeyGenerator keyGenerator = KeyGenerator.getInstance("Blowfish");
  keyGenerator.init(256);

• Do consider using AES for encryption instead of Blowfish. AES is a more secure and widely recommended encryption standard. You can select AES as your encryption method by initializing the KeyGenerator instance for AES.

  KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");

References

• Java Cryptography Architecture docs
• Birthday Attack

Associated CWE

• CWE-326: Inadequate Encryption Strength

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_blowfish_key_size

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_blowfish_key_size