1.2.126. Check Crypto Key Length

Each cryptography algorithm requires a reasonable length. Make sure an up-to-date length is used.

This rule use the following recommendations :

  • OPENSSL_KEYTYPE_RSA => 3072

  • OPENSSL_KEYTYPE_DSA => 2048

  • OPENSSL_KEYTYPE_DH => 2048

  • OPENSSL_KEYTYPE_EC => 512

The values above are used with the openssl PHP extension.

<?php

// Extracted from the documentation

// Generates a new and strong key
$private_key = openssl_pkey_new(array(
    "private_key_type" => OPENSSL_KEYTYPE_EC,
    "private_key_bits" => 1024,
));

// Generates a new and weak key
$private_key = openssl_pkey_new(array(
    "private_key_type" => OPENSSL_KEYTYPE_EC,
    "private_key_bits" => 256,
));

?>

See also The Definitive 2019 Guide to Cryptographic Key Sizes and Algorithm Recommendations and Cryptographic Key Length Recommendation.

1.2.126.1. Suggestions

  • Lengthen the cryptographic key

1.2.126.2. Specs

Short name

Security/CryptoKeyLength

Rulesets

All, Security

Exakat since

2.1.1

PHP Version

All

Severity

Minor

Time To Fix

Quick (30 mins)

Precision

High

Features

cryptography, openssl

Available in

Entreprise Edition, Exakat Cloud