Why is this an issue?
Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks.
NIST recommendations will be checked for these
use-cases:
Digital Signature Generation and Verification:
- p ≥ 2048 AND q ≥ 224 for DSA (
p
is key length and q
the modulus length)
- n ≥ 2048 for RSA (
n
is the key length)
Key Agreement:
- p ≥ 2048 AND q ≥ 224 for DH and MQV
- n ≥ 224 for ECDH and ECMQV (Examples:
secp192r1
is a non-compliant curve (n
< 224) but secp224k1
is
compliant (n
>= 224))
Symmetric keys:
This rule will not raise issues for ciphers that are considered weak (no matter the key size) like DES
, Blowfish
.
Noncompliant code example
using System;
using System.Security.Cryptography;
namespace MyLibrary
{
public class MyCryptoClass
{
static void Main()
{
var dsa1 = new DSACryptoServiceProvider(); // Noncompliant - default key size is 1024
dsa1.KeySize = 2048; // Noncompliant - the setter does not update the underlying key size for the DSACryptoServiceProvider class
var dsa2 = new DSACryptoServiceProvider(2048); // Noncompliant - cannot create DSACryptoServiceProvider with a key size bigger than 1024
var rsa1 = new RSACryptoServiceProvider(); // Noncompliant - default key size is 1024
rsa1.KeySize = 2048; // Noncompliant - the setter does not update the underlying key size for the RSACryptoServiceProvider class
var rsa2 = new RSACng(1024); // Noncompliant
// ...
}
}
}
KeySize property of DSACryptoServiceProvider and RSACryptoServiceProvider does not change the value of underlying KeySize for the algorithm.
Property setter is ignored without error and KeySize can be changed only by using constructor overload. See:
Compliant solution
using System;
using System.Security.Cryptography;
namespace MyLibrary
{
public class MyCryptoClass
{
static void Main()
{
var dsa1 = new DSACng(); // Compliant - default key size is 2048
var dsa2 = new DSACng(2048); // Compliant
var rsa1 = new RSACryptoServiceProvider(2048); // Compliant
var rsa2 = new RSACng(); // Compliant - default key size is 2048
// ...
}
}
}
Resources