Rule Information
Tags
pythoncryptographyecelliptic-curvekey-sizeauditCWE-326OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-022 --project .1
2
3
4
5
6
7
8
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
About This Rule
Understanding the vulnerability and how it is detected
Audit rule that flags all calls to `ec.generate_private_key()` in the `cryptography` library to prompt review of the curve argument. Unlike SEC-020 and SEC-021, this is not a precise detection rule — it matches `CryptoEC.method("generate_private_key")` without filtering on the curve type, because the analysis engine cannot currently inspect the curve object passed as an argument to distinguish approved curves from deprecated ones. The intent is to surface all EC key generation for mandatory human review. Not all curves are equally secure. SECP192R1 (NIST P-192) provides only 96-bit security and is deprecated by NIST SP 800-131A. SECP224R1 (112-bit security) is also deprecated for use after 2030. By contrast, SECP256R1 (128-bit), SECP384R1 (192-bit), and SECP521R1 (260-bit) are all NIST-approved. This rule generates expected false positives for code using approved curves — treat findings as a mandatory audit checkpoint rather than confirmed vulnerabilities.
How to Fix
Recommended remediation steps
- 1Use SECP256R1 (NIST P-256) as the baseline for new EC keys — it is universally supported and provides 128-bit security.
- 2Use SECP384R1 or SECP521R1 for high-value keys or applications requiring compliance with NSA CNSA 2.0.
- 3Never use SECP192R1 or SECP224R1 — both are deprecated by NIST SP 800-131A.
- 4For new applications, consider X25519 for key agreement and Ed25519 for signatures — both are modern audited curves with no parameter-based weaknesses.
- 5Document the curve selection rationale in your security design document for each EC key generation call site.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography; minimum 256-bit ECC equivalent
NIST SP 800-131A
SECP192R1 and SECP224R1 deprecated; SECP256R1 and higher approved
NIST SP 800-57
Key Management -- 128-bit minimum security level; P-256 provides 128-bit
NIST SP 800-53
SC-13: Cryptographic Protection -- use FIPS-approved algorithms and parameters
References
External resources and documentation
CWE-326: Inadequate Encryption StrengthNIST SP 800-186: Recommendations for Discrete Logarithm-Based Cryptography — Elliptic Curve Domain ParametersNIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic Algorithms and Key LengthsSafeCurves: Choosing Safe Curves for Elliptic-Curve CryptographyOWASP Cryptographic Failures (A02:2021)
Similar Rules
Explore related security rules for Python
HIGH
Insufficient RSA Key Size (cryptography lib)
RSA key size is less than 2048 bits. NIST minimum is 2048 bits; 3072+ recommended for new systems.
HIGH
Insufficient DSA Key Size (cryptography lib)
DSA key size is less than 2048 bits. NIST SP 800-131A requires 2048-bit minimum.
HIGH
Insufficient RSA Key Size (PyCryptodome)
RSA key size is less than 3072 bits in PyCryptodome. Use RSA.generate(3072) or higher.
Frequently Asked Questions
Common questions about EC Key Generation Audit (cryptography lib)
This is an intentional audit-level rule. The analysis engine matches all calls to `ec.generate_private_key()` because it cannot currently inspect the curve object to distinguish SECP256R1 from SECP192R1 at analysis time. Findings here require human review — confirm the curve is an approved NIST curve and suppress the finding with an inline annotation if your organization's policy permits it.
NIST-approved curves safe for new systems: SECP256R1 (P-256), SECP384R1 (P-384), SECP521R1 (P-521). Deprecated curves that must NOT be used: SECP192R1 (P-192) and SECP224R1 (P-224). For key agreement X25519 is widely recommended; for signatures Ed25519 is preferred in modern protocols.
SECP192R1: 96-bit security (deprecated). SECP224R1: 112-bit security (deprecated after 2030). SECP256R1: 128-bit security (approved). SECP384R1: 192-bit security (approved). SECP521R1: 260-bit security (approved). X25519/Ed25519: approximately 128-bit security (approved).
Brainpool curves (brainpoolP256r1, etc.) are standardized by IETF and used in European government contexts, but are not FIPS-approved by NIST and may not satisfy US federal compliance requirements. Evaluate against your specific compliance framework.
EC provides equivalent security with much shorter keys: SECP256R1 (256-bit) matches the security of 3072-bit RSA. Shorter keys mean faster key generation, smaller signatures, and lower bandwidth. EC is the recommended approach in TLS 1.3, modern SSH, and FIDO2.
Weak curves with insufficient security parameters are vulnerable to the Pohlig-Hellman algorithm and index calculus variants. For SECP192R1 an attacker can compute discrete logarithms and recover the private key, enabling signature forgery and decryption of ECDH-established sessions.
New feature
Get these findings posted directly on your GitHub pull requests
The EC Key Generation Audit (cryptography lib) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.