Dart Pointycastle Pbkdf2 Weak Key Length

Description

This detector identifies weak key length configurations in Dart's PointyCastle PBKDF2 implementations. PBKDF2 (Password-Based Key Derivation Function 2) with insufficient key lengths weakens cryptographic security and makes derived keys vulnerable to brute-force attacks.

Weakness:

052 - Insecure encryption algorithm

Category: Information Collection

Detection Strategy

• Scans Dart code for imports from the PointyCastle cryptographic package that include PBKDF2-related classes

• Identifies function calls to PBKDF2 parameter constructors or related methods from the imported PointyCastle components

• Examines the third argument (index 2) of these function calls, which typically represents the key length parameter

• Flags the call as vulnerable if the key length argument is determined to be below secure thresholds (evaluated as a weak derived key length in bytes)

Vulnerable code example

import 'package:pointycastle/export.dart';

void weakPbkdf2() {
  // VULNERABLE: 8 bytes is below the 16-byte minimum for secure key derivation
  final params = Pbkdf2Parameters([0, 1, 2, 3], 600000, 8);
  PBKDF2KeyDerivator(HMac(SHA256Digest(), 64))..init(params);
}

✅ Secure code example

import 'package:pointycastle/export.dart';

void securePbkdf2() {
  // SAFE: 32 bytes meets AES-256 strength - modern security recommendation
  final params = Pbkdf2Parameters([0, 1, 2, 3], 600000, 32);
  PBKDF2KeyDerivator(HMac(SHA256Digest(), 64))..init(params);
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.