Rule Information
Tags
pythonpycryptodomedsakey-sizeCWE-326OWASP-A02
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-CRYPTO-SEC-024 --project .1
2
3
4
5
6
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Rule
Understanding the vulnerability and how it is detected
Detects DSA key generation using `DSA.generate(bits)` from PyCryptodome where the first positional argument (key size in bits) is less than 2048. This rule uses a `.where(0, lt(2048))` predicate targeting position 0 — it fires only on provably undersized keys and does not flag 2048-bit or larger keys. DSA with small keys is vulnerable to discrete logarithm attacks. A 1024-bit DSA key can have its private key recovered through index calculus methods, enabling an attacker to forge arbitrary signatures. NIST SP 800-131A formally deprecated 1024-bit DSA in 2013 and requires 2048-bit minimum. Beyond the key size risk, DSA signing requires a cryptographically random per-signature nonce (k): a reused nonce across two signatures algebraically exposes the private key regardless of key size, as demonstrated in the 2010 Sony PlayStation 3 master key extraction. For new applications, prefer ECDSA (ECC.generate(curve='P-256')) or avoid DSA entirely.
How to Fix
Recommended remediation steps
- 1Use DSA.generate(2048) as the absolute minimum; use DSA.generate(3072) for systems requiring protection beyond 2030.
- 2Consider replacing DSA with ECC (curve='P-256' or 'P-384') for new applications — smaller keys, faster operations, and immune to nonce-reuse catastrophe when using EdDSA.
- 3If DSA must be used, ensure the per-signature nonce (k) is generated from a CSPRNG; never reuse a nonce across two signatures with the same key.
- 4Audit all DSA key material and schedule rotation of any keys below 2048 bits.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A02:2021 - Cryptographic Failures
PCI DSS v4.0
Requirement 4.2.1 -- use strong cryptography for transmission of cardholder data
NIST SP 800-131A
Minimum 2048-bit DSA keys; 1024-bit deprecated since 2013
NIST SP 800-57
Key Management -- minimum key strengths for equivalent security levels
NIST SP 800-53
SC-13: Cryptographic Protection -- use FIPS-approved algorithms and key sizes
References
External resources and documentation
CWE-326: Inadequate Encryption StrengthNIST SP 800-57 Part 1 Rev 5: Recommendation for Key ManagementNIST SP 800-131A Rev 2: Transitioning the Use of Cryptographic Algorithms and Key LengthsPyCryptodome Documentation: DSA.generate()Sony PS3 DSA Nonce Reuse Attack (2010) — private key recovered from two signaturesOWASP Cryptographic Failures (A02:2021)
Similar Rules
Explore related security rules for Python
HIGH
Insufficient DSA Key Size (cryptography lib)
DSA key size is less than 2048 bits. NIST SP 800-131A requires 2048-bit minimum.
MEDIUM
EC Key Generation Audit (cryptography lib)
Audit all EC key generation calls — verify the curve is SECP256R1, SECP384R1, or stronger. Weak curves like SECP192R1 must not be used.
HIGH
Insufficient RSA Key Size (PyCryptodome)
RSA key size is less than 3072 bits in PyCryptodome. Use RSA.generate(3072) or higher.
Frequently Asked Questions
Common questions about Insufficient DSA Key Size (PyCryptodome)
No. The rule uses `.where(0, lt(2048))` which only fires when the bits argument is strictly less than 2048. DSA.generate(2048) does NOT trigger this rule.
Use DSA.generate(2048) as the minimum, or DSA.generate(3072) for data requiring protection beyond 2030. However, for any new system seriously consider replacing DSA with ECC.generate(curve='P-256') — it is faster, has smaller signatures, and if using Ed25519-style deterministic signing avoids the nonce-reuse vulnerability entirely.
Both rules flag DSA keys below 2048 bits. The difference is the target library and API: SEC-021 targets `cryptography`'s `dsa.generate_private_key(key_size=...)` named-argument API, while SEC-024 targets PyCryptodome's `DSA.generate(bits)` positional-argument API and uses `.where(0, lt(2048))` to check position 0.
Small DSA keys are vulnerable to the index calculus algorithm for computing discrete logarithms. With a 1024-bit modulus an attacker can recover the private key and forge signatures on arbitrary messages — enabling code signing bypass, authentication impersonation, or certificate forgery depending on how the key is used.
Beyond key size, DSA has a catastrophic nonce-reuse vulnerability: if the per-signature random value k is ever reused across two signatures (even with a large key), an attacker can algebraically derive the private key from those two signatures. This happened to Sony in 2010 and to Bitcoin wallet implementations that used flawed RNGs. RSA signing does not have this property. EdDSA (Ed25519) mitigates it by deriving k deterministically.
PyCryptodome's DSA.generate() accepts key size as position 0. The rule uses `.where(0, lt(2048))` to filter on the first positional argument. If the key size is passed as a variable whose value cannot be statically resolved, this rule may not fire (under-approximation). Use literal integer values for key sizes in production code to ensure static detectability.
New feature
Get these findings posted directly on your GitHub pull requests
The Insufficient DSA Key Size (PyCryptodome) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.