Java Weak Rsa Key
Description
Detects the use of weak RSA keys in Java applications by identifying RSA key pair generation with insufficient key sizes (less than 2048 bits). Using RSA keys shorter than 2048 bits is considered cryptographically weak and could allow attackers to break the encryption through factorization attacks.
Detection Strategy
• Check if java.security.KeyPairGenerator is imported in the source code
• Look for calls to initialize() method on KeyPairGenerator instances
• Verify if the KeyPairGenerator is configured for RSA algorithm
• Check if the key size parameter passed to initialize() is less than 2048 bits
• Report a vulnerability when RSA keys are generated with sizes below 2048 bits
Vulnerable code example
import java.security.KeyPairGenerator;
public class WeakRSAExample {
public static void main(String[] args) throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(512); // Vulnerable: Using weak RSA key size < 2048 bits
// Another vulnerable example with user-defined weak size...✅ Secure code example
import java.security.KeyPairGenerator;
public class SecureRSAExample {
public static void main(String[] args) throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048); // Secure: Using recommended minimum RSA key size
// Example with secure user-defined size...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.