Blowfish encryption with small key size detected

Description

When using Blowfish encryption with smaller key sizes (128 bytes or less), the resulting ciphertext is vulnerable to birthday attacks. It is recommended to specify a larger value, such as 256, when initializing the KeyGenerator using the KeyGenerator.init(keySize) method.

As an alternative to Blowfish, consider using AES through the KeyGenerator instance.

Remediations

✅ When using Blowfish, adjust the key size by passing a value like 256 or larger to the KeyGenerator.init(keySize) method.

    // Use the Blowfish algorithm for key generation
KeyGenerator keyGenerator = KeyGenerator.getInstance("Blowfish");

// Set the key size here
keyGenerator.init(256);

✅ Prefer AES as the KeyGenerator instance instead of Blowfish for encryption.

  KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_blowfish_key_size

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_blowfish_key_size

Ready to take the next step? Learn more about Bearer Cloud.