Rule Information
Tags
pythoncryptographydsakey-sizeCWE-326OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-021 --project .1
2
3
4
5
6
7
8
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Rule
Understanding the vulnerability and how it is detected
Detects DSA key generation using `dsa.generate_private_key()` from the `cryptography` library where the `key_size` argument is less than 2048 bits. This rule uses a `.where("key_size", lt(2048))` predicate and fires only on provably undersized keys; it does not flag 2048-bit or larger keys. DSA with small keys is vulnerable to discrete logarithm attacks: with a 1024-bit modulus an attacker can recover the private key and then forge arbitrary signatures on any message. NIST SP 800-131A formally deprecated 1024-bit DSA in 2013 and requires 2048-bit minimum. Note that DSA itself is being phased out in favour of ECDSA — even at 2048 bits, DSA requires careful nonce management (a reused nonce leaks the private key as demonstrated in Sony PlayStation 3 key extraction). For new systems prefer ECDSA with SECP256R1 or EdDSA.
How to Fix
Recommended remediation steps
- 1Use key_size=2048 as the absolute minimum; use key_size=3072 for systems expected to operate beyond 2030.
- 2Consider replacing DSA with ECDSA (SECP256R1) or EdDSA for new applications — smaller keys, faster operations, and no nonce-reuse catastrophe.
- 3If DSA must be used, ensure the per-signature nonce (k) is generated with a cryptographically secure random number generator; a reused nonce leaks the private key.
- 4Audit all DSA key material in your infrastructure and schedule rotation of any keys below 2048 bits.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for transmission of cardholder data
NIST SP 800-131A
Minimum 2048-bit RSA/DSA keys; 1024-bit deprecated since 2013
NIST SP 800-57
Key Management -- minimum key strengths and algorithm selection for equivalent security levels
NIST SP 800-53
SC-13: Cryptographic Protection -- use FIPS-approved algorithms and key sizes
References
External resources and documentation
CWE-326: Inadequate Encryption StrengthNIST SP 800-57 Part 1 Rev 5: Recommendation for Key ManagementNIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic Algorithms and Key LengthsSony PS3 DSA Nonce Reuse Attack (2010) — private key recovered from two signaturesOWASP Cryptographic Failures (A02:2021)
Similar Rules
Explore related security rules for Python
HIGH
Insufficient RSA Key Size (cryptography lib)
RSA key size is less than 2048 bits. NIST minimum is 2048 bits; 3072+ recommended for new systems.
MEDIUM
EC Key Generation Audit (cryptography lib)
Audit all EC key generation calls — verify the curve is SECP256R1, SECP384R1, or stronger. Weak curves like SECP192R1 must not be used.
HIGH
Insufficient DSA Key Size (PyCryptodome)
DSA key size is less than 2048 bits in PyCryptodome. Use DSA.generate(2048) or higher.
Frequently Asked Questions
Common questions about Insufficient DSA Key Size (cryptography lib)
No. The rule uses `.where("key_size", lt(2048))` which only fires when key_size is strictly less than 2048 bits. A key_size=2048 call does NOT trigger this rule.
Use 2048-bit DSA at minimum, or 3072-bit for systems requiring protection beyond 2030. However, for any new system consider replacing DSA entirely with ECDSA using SECP256R1 (equivalent to 3072-bit RSA/DSA) or EdDSA (Ed25519). These are faster, have smaller key and signature sizes, and EdDSA is immune to nonce reuse vulnerabilities.
DSA signing requires a random nonce (k) per signature. If that nonce is ever reused across two signatures, an attacker can algebraically recover the private key — even if the key itself is 4096 bits. This attack was used in 2010 to extract the Sony PS3 master signing key. ECDSA shares this property; EdDSA (Ed25519) deterministically derives nonces and is immune.
Small DSA keys are vulnerable to the index calculus algorithm for computing discrete logarithms over the underlying finite field. With a 1024-bit modulus, an attacker can recover the private key and then forge signatures on arbitrary messages, enabling them to impersonate the key holder for code signing, authentication, or certificate issuance.
Both SEC-021 and SEC-024 use 2048 bits as the threshold, aligning with the NIST SP 800-131A minimum. The only difference is the library being targeted: SEC-021 targets the `cryptography` library's `dsa.generate_private_key(key_size=...)` API, while SEC-024 targets PyCryptodome's `DSA.generate(bits)` API where key size is a positional argument.
Yes, 2048-bit DSA remains acceptable under most compliance frameworks through 2030. However, NIST SP 800-131A notes that DSA is losing support across implementations. OpenSSH deprecated DSA host keys in version 7.0 (2015). Check your compliance framework's current approved algorithm list before committing to DSA for new systems.
New feature
Get these findings posted directly on your GitHub pull requests
The Insufficient DSA Key Size (cryptography lib) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.