Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Share encryption key sizes across languages #11192

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

jcogs33
Copy link
Contributor

@jcogs33 jcogs33 commented Nov 9, 2022

Draft PR for sharing encryption key sizes between Python and Java.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 10, 2022

QHelp previews:

python/ql/src/Security/CWE-326/WeakCryptoKey.qhelp

Use of weak cryptographic key

Modern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.

The three main asymmetric key algorithms currently in use are Rivest–Shamir–Adleman (RSA) cryptography, Digital Signature Algorithm (DSA), and Elliptic-curve cryptography (ECC). With current technology, key sizes of 2048 bits for RSA and DSA, or 256 bits for ECC, are regarded as unbreakable.

Recommendation

Increase the key size to the recommended amount or larger. For RSA or DSA this is at least 2048 bits, for ECC this is at least 256 bits.

References

Copy link
Member

@RasmusWL RasmusWL left a comment

Overall looks good to me, really nice to have this shared!

Thanks for fixing up our .qhelp file as well 👍

/** Returns the minimum recommended key size for asymmetric algorithms (RSA, DSA, and DH). */
int minSecureKeySizeAsymmetricNonEc() { result = 2048 }
Copy link
Member

@RasmusWL RasmusWL Nov 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only part I'm concerned about it whether minimum secure keysize for RSA/DSA/DH will always be the same. Personally, I would favor a predicate for each, but if you're more informed on this area than me, I'm happy to listen to reason 😉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants