Rule Information
Tags
pythoncryptographyrsakey-sizeCWE-326OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-020 --project .1
2
3
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Rule
Understanding the vulnerability and how it is detected
Detects RSA key generation using `rsa.generate_private_key()` from the `cryptography` library where the `key_size` argument is less than 2048 bits. This rule uses a `.where("key_size", lt(2048))` predicate so it fires only on provably undersized keys and does not flag 2048-bit or larger keys. RSA keys shorter than 2048 bits are vulnerable to integer factorization: a 1024-bit RSA key can be factored with sustained effort and widely available cloud compute. NIST formally deprecated 1024-bit RSA in 2013 (SP 800-131A) and requires 2048-bit minimum through 2030, after which 3072-bit keys will be the minimum for new systems. Use 3072-bit or 4096-bit RSA for new applications, or prefer ECDSA with SECP256R1/SECP384R1 which provides equivalent security with significantly shorter keys.
How to Fix
Recommended remediation steps
- 1Use RSA key_size=3072 or key_size=4096 for any new application.
- 2NIST SP 800-57 equates 2048-bit RSA to only 112-bit security; 3072-bit RSA provides 128-bit security.
- 3Prefer ECDSA (SECP256R1 or SECP384R1) over RSA for new systems — same security level with shorter keys and faster operations.
- 4Audit existing certificates and key material to identify keys below 2048 bits and schedule rotation.
- 5Set a key expiry policy so that any 2048-bit keys currently in use are rotated before NIST's 2030 deprecation deadline.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for transmission of cardholder data
NIST SP 800-131A
Minimum 2048-bit RSA/DSA keys; 3072-bit required for security beyond 2030
NIST SP 800-57
Key Management -- minimum key strengths for equivalent security levels
NIST SP 800-53
SC-13: Cryptographic Protection -- use FIPS-approved algorithms and key sizes
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Insufficient DSA Key Size (cryptography lib)
DSA key size is less than 2048 bits. NIST SP 800-131A requires 2048-bit minimum.
MEDIUM
EC Key Generation Audit (cryptography lib)
Audit all EC key generation calls — verify the curve is SECP256R1, SECP384R1, or stronger. Weak curves like SECP192R1 must not be used.
HIGH
Insufficient RSA Key Size (PyCryptodome)
RSA key size is less than 3072 bits in PyCryptodome. Use RSA.generate(3072) or higher.
Frequently Asked Questions
Common questions about Insufficient RSA Key Size (cryptography lib)
No. The rule uses `.where("key_size", lt(2048))` which only fires when the key_size argument is strictly less than 2048 bits. A key_size=2048 call does NOT trigger this rule. See PYTHON-CRYPTO-SEC-023 for the stricter PyCryptodome rule that flags below 3072.
Use 3072-bit RSA for any new system. NIST equates 2048-bit RSA to 112-bit symmetric security and states that 112-bit is acceptable only until 2030. For long-lived keys or certificates, use 4096-bit RSA or switch to ECDSA with SECP384R1 (equivalent to 7680-bit RSA).
SEC-020 targets the `cryptography` library and applies the NIST 2013 minimum of 2048 bits as the hard floor. SEC-023 targets PyCryptodome and uses 3072 bits as the threshold, reflecting the NIST recommendation for systems expected to operate beyond 2030. You can configure your organization's acceptable threshold accordingly.
Yes. The RSA-1024 challenge was factored in academic research environments. With modern cloud compute, a dedicated attacker with sufficient budget can factor 1024-bit moduli. The cost continues to decrease as hardware improves. NIST deprecated 1024-bit RSA in 2013 precisely because it no longer provides adequate security margins.
Test code that generates weak keys can be suppressed using inline annotations supported by the engine. However, ensure that test keys cannot be accidentally reused in production. A better practice is to use 2048-bit or higher keys even in tests to prevent key reuse.
Insufficient RSA key sizes are vulnerable to the General Number Field Sieve (GNFS) factorization algorithm. Once an attacker factors the RSA modulus into its prime components, they can reconstruct the private key and decrypt all past ciphertext encrypted under that key (no forward secrecy), forge signatures, and impersonate the key holder.
No. This rule only checks key_size. The public exponent should always be 65537 (0x10001). Using a small exponent like 3 or 17 introduces separate vulnerabilities (Coppersmith attacks) that are covered by other rules in this ruleset.
New feature
Get these findings posted directly on your GitHub pull requests
The Insufficient RSA Key Size (cryptography lib) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.