Rule Information
Tags
pythonpycryptodomersakey-sizeCWE-326OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-023 --project .1
2
3
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Rule
Understanding the vulnerability and how it is detected
Detects RSA key generation using `RSA.generate(bits)` from PyCryptodome where the first positional argument (key size in bits) is less than 3072. This rule uses a `.where(0, lt(3072))` predicate targeting position 0 of the call — it fires only on provably undersized keys and does not flag 3072-bit or larger keys. The 3072-bit threshold is deliberately stricter than the SEC-020 `cryptography` library rule (which uses 2048 as the floor). PyCryptodome's own documentation recommends 3072-bit keys for new applications to ensure adequate security beyond 2030. NIST SP 800-57 equates 3072-bit RSA to 128-bit symmetric security. A 2048-bit RSA key provides only 112-bit security and is scheduled for deprecation by NIST after 2030. RSA keys shorter than 3072 bits are vulnerable to the General Number Field Sieve factorization algorithm given sufficient compute. For new systems, consider ECDSA with SECP256R1 or SECP384R1 which provides equivalent or stronger security with significantly shorter keys.
How to Fix
Recommended remediation steps
- 1Use RSA.generate(3072) as the minimum for PyCryptodome RSA key generation.
- 2Use RSA.generate(4096) for long-lived keys such as CA certificates or signing keys.
- 3Consider replacing RSA with ECC — ECC.generate(curve='P-256') provides equivalent security to RSA-3072 with a 256-bit key.
- 4Note that this rule is stricter than SEC-020 (cryptography lib) which uses 2048 as the floor; aligning on 3072 ensures systems will remain compliant beyond 2030.
- 5Audit all RSA key material in your infrastructure and schedule rotation of any keys below 3072 bits on a risk-based timeline.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for transmission of cardholder data
NIST SP 800-131A
Minimum 2048-bit RSA/DSA keys; 3072-bit required for security beyond 2030
NIST SP 800-57
Key Management -- 3072-bit RSA provides 128-bit security level, minimum for new systems
NIST SP 800-53
SC-13: Cryptographic Protection -- use FIPS-approved algorithms and key sizes
References
External resources and documentation
Similar Rules
Explore related security rules for Python
HIGH
Insufficient RSA Key Size (cryptography lib)
RSA key size is less than 2048 bits. NIST minimum is 2048 bits; 3072+ recommended for new systems.
HIGH
Insufficient DSA Key Size (cryptography lib)
DSA key size is less than 2048 bits. NIST SP 800-131A requires 2048-bit minimum.
HIGH
Insufficient DSA Key Size (PyCryptodome)
DSA key size is less than 2048 bits in PyCryptodome. Use DSA.generate(2048) or higher.
Frequently Asked Questions
Common questions about Insufficient RSA Key Size (PyCryptodome)
Yes. This rule flags keys below 3072 bits, so RSA.generate(2048) will trigger a finding. This is intentionally stricter than SEC-020 (which only flags below 2048). The 3072-bit threshold reflects NIST's recommendation for systems expected to operate beyond 2030 and PyCryptodome's own documentation guidance.
SEC-020 targets the `cryptography` library and uses 2048 bits as the hard regulatory minimum per NIST SP 800-131A. SEC-023 targets PyCryptodome and applies a forward-looking threshold of 3072 bits, reflecting PyCryptodome's own recommendation for new applications and NIST's guidance that 2048-bit provides only 112-bit security (acceptable until 2030, not beyond). This difference helps teams building new systems avoid creating key material that will require imminent rotation.
Use RSA.generate(3072) as the minimum for new PyCryptodome applications. Use RSA.generate(4096) for long-lived certificates or any key protecting data beyond 2030. Alternatively migrate to ECC — ECC.generate(curve='P-256') provides 128-bit security with a much shorter key and faster operations.
Technically 2048-bit RSA meets current NIST minimums and will until 2030. However, PyCryptodome's documentation explicitly recommends 3072-bit for new applications, and this rule enforces that recommendation. If you have 2048-bit keys in existing systems you should plan rotation before 2030; do not generate new 2048-bit keys.
RSA keys are broken by factoring the modulus N = p * q. The General Number Field Sieve (GNFS) algorithm has a sub-exponential runtime that makes 1024-bit keys factorable and puts 2048-bit keys at increasing risk as compute costs fall. Once factored, all past ciphertext encrypted with that key can be decrypted (no forward secrecy), and signatures can be forged.
PyCryptodome does not enforce a minimum key size by default. RSA.generate(512) will succeed without warning. This rule compensates for that missing guard at the code analysis layer.
PyCryptodome's `RSA.generate(bits)` accepts key size as position 0. The rule uses `.where(0, lt(3072))` to filter on the first positional argument. If the key size is passed as a variable whose value cannot be statically resolved, this rule may not fire (under-approximation). Consider using named constants or literal values for key sizes.
New feature
Get these findings posted directly on your GitHub pull requests
The Insufficient RSA Key Size (PyCryptodome) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.