148 – Set minimum size of asymmetric encryption

Summary

The asymmetric encryption mechanism must use a minimum key size of 2048 bits.

Description

The key size in asymmetric encryption is directly correlated with the strength of the encryption. Larger key sizes provide a higher level of security because they increase the complexity of the mathematical problem that an attack is intended to solve and break the encryption.

Supported In

Essential: True

Advanced: True

References

• CAPEC-20. Encryption brute forcing
• HIPAA-164_312_a_2_iv. Encryption and decryption (addressable)
• HITRUST-10_g. Key management
• ISO27002-8_24. Use of cryptography
• IEC62443-DC-4_3. Use of cryptography
• ISSAF-E_21. Network security - Switch security assessment (VLAN reconfiguration)
• ISSAF-F_5_3. Network security - Router security assessment (protect passwords)
• ISSAF-H_14_17. Network security - Intrusion detection (detection engine)
• BSAFSS-EN_2-4. Avoid weak encryption
• ASVS-6_2_5. Algorithms
• SIG-D_6_13. Asset and information management
• ASVS-6_2_1. Algorithms
• ASVS-6_2_7. Algorithms
• ISO27001-8_24. Use of cryptography
• CASA-6_2_1. Algorithms
• CASA-6_2_5. Algorithms
• CASA-6_2_7. Algorithms
• OWASPMASVS-CRYPTO-1. The app employs current strong cryptography and uses it according to industry best practices

Weaknesses

• 133 – Insecure encryption algorithm - Perfect Forward Secrecy
• 261 – Insecure encryption algorithm - DSA
• 262 – Insecure encryption algorithm - SHA1
• 263 – Insecure encryption algorithm - MD5
• 264 – Insecure encryption algorithm - TripleDES
• 265 – Insecure encryption algorithm - AES
• 269 – Insecure encryption algorithm - Blowfish
• 282 – Insecure encryption algorithm - ECB
• 421 – Insecure encryption algorithm - Insecure Elliptic Curve
• 016 – Insecure encryption algorithm - SSL/TLS
• 052 – Insecure encryption algorithm
• 092 – Insecure encryption algorithm - Anonymous cipher suites
• 094 – Insecure encryption algorithm - Cipher Block Chaining

Last updated

2024/01/18