1.2.126. Check Crypto Key Length¶
Each cryptography algorithm requires a reasonable length. Make sure an up-to-date length is used.
This rule use the following recommendations :
OPENSSL_KEYTYPE_RSA => 3072
OPENSSL_KEYTYPE_DSA => 2048
OPENSSL_KEYTYPE_DH => 2048
OPENSSL_KEYTYPE_EC => 512
The values above are used with the openssl PHP extension.
<?php
// Extracted from the documentation
// Generates a new and strong key
$private_key = openssl_pkey_new(array(
"private_key_type" => OPENSSL_KEYTYPE_EC,
"private_key_bits" => 1024,
));
// Generates a new and weak key
$private_key = openssl_pkey_new(array(
"private_key_type" => OPENSSL_KEYTYPE_EC,
"private_key_bits" => 256,
));
?>
See also The Definitive 2019 Guide to Cryptographic Key Sizes and Algorithm Recommendations and Cryptographic Key Length Recommendation.
1.2.126.1. Suggestions¶
Lengthen the cryptographic key
1.2.126.2. Specs¶
Short name |
Security/CryptoKeyLength |
Rulesets |
|
Exakat since |
2.1.1 |
PHP Version |
All |
Severity |
Minor |
Time To Fix |
Quick (30 mins) |
Precision |
High |
Features |
cryptography, openssl |
Available in |