Kotlin Crypto Weak Key Size
Description
Detects the use of cryptographic keys with insufficient key sizes in Kotlin applications. Using keys that are too short makes encryption vulnerable to brute-force attacks and compromises the security of encrypted data.
Detection Strategy
• Look for cryptographic initialization functions (ending with 'init')
• Extract the key size parameter from the first argument of these initialization calls
• Compare the specified key size against minimum security requirements for the cryptographic algorithm
• Report a vulnerability if the key size is below the recommended minimum length
Vulnerable code example
import javax.crypto.KeyGenerator
import java.security.KeyPairGenerator
// RSA key size below recommended 2048 bits
val keyPairGen = KeyPairGenerator.getInstance("RSA")
keyPairGen.initialize(1024) // Vulnerable: Using weak RSA key size of 1024 bits
// AES key size below recommended 128 bits...✅ Secure code example
import javax.crypto.KeyGenerator
import java.security.KeyPairGenerator
// Generate RSA key pair with secure key size
val keyPairGen = KeyPairGenerator.getInstance("RSA")
keyPairGen.initialize(2048) // Safe: Using recommended RSA key size of 2048 bits
// Generate AES key with secure key size...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.