Dart Pointycastle Pbkdf2 Weak Iterations
Description
This detector identifies weak PBKDF2 implementations in Dart applications using the PointyCastle cryptographic library. It specifically checks for PBKDF2 key derivation functions configured with dangerously low iteration counts, which makes password-based encryption vulnerable to brute force attacks.
Detection Strategy
• Scans Dart files that import the PointyCastle cryptographic library (package:pointycastle)
• Identifies calls to PBKDF2 process methods within the PointyCastle library
• Examines the first argument (iteration count parameter) of PBKDF2 process calls to determine if it represents a weak value
• Triggers a vulnerability report when the iteration count is below secure thresholds (typically less than 10,000 iterations)
• Also detects weak configurations through method chaining patterns where PBKDF2 objects are initialized with insufficient iteration parameters
Vulnerable code example
import 'package:pointycastle/export.dart';
void weakPBKDF2() {
final password = [0, 1, 2, 3];
final salt = [0, 1, 2, 3];
final kdf = PBKDF2KeyDerivator(HMac(SHA256Digest(), 64));
kdf.init(Pbkdf2Parameters(salt, 100, 32)); // VULNERABLE: 100 iterations << 600,000 minimum
kdf.process(password);...✅ Secure code example
import 'package:pointycastle/export.dart';
void weakPBKDF2() {
final password = [0, 1, 2, 3];
final salt = [0, 1, 2, 3];
final kdf = PBKDF2KeyDerivator(HMac(SHA256Digest(), 64));
kdf.init(Pbkdf2Parameters(salt, 600000, 32)); // FIXED: 600,000 meets OWASP minimum for SHA-256
kdf.process(password);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.