Kotlin Weak Key Size
Description
Identifies insecure cryptographic configurations in Kotlin code where cryptographic keys are generated with weak parameters. This vulnerability could lead to breakable encryption that fails to adequately protect sensitive data.
Detection Strategy
• Detects calls to cryptographic key generation methods including KeyGenerator.getInstance() and KeyPairGenerator.getInstance()
• Examines the algorithm parameter passed to these getInstance() methods to identify weak or outdated cryptographic configurations
• Reports a vulnerability when cryptographic key generators are initialized with insecure algorithm parameters
• Monitors both fully qualified calls (javax.crypto.KeyGenerator) and shortened versions (KeyGenerator) of the key generation APIs
Vulnerable code example
import javax.crypto.KeyGenerator
import java.security.KeyPairGenerator
// Vulnerable: Using weak 1024-bit key size for RSA (should be >= 2048)
val keyPairGen = KeyPairGenerator.getInstance("RSA")
keyPairGen.initialize(1024)
// Vulnerable: Using weak 64-bit key size for AES (should be >= 128)...✅ Secure code example
import javax.crypto.KeyGenerator
import java.security.KeyPairGenerator
// Secure: Using recommended 2048-bit key size for RSA
val keyPairGen = KeyPairGenerator.getInstance("RSA")
keyPairGen.initialize(2048)
// Secure: Using standard 256-bit key size for AES...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.