Dart Cryptography Pbkdf2 Weak Key Length
Description
This detector identifies PBKDF2 implementations in Dart code that use weak key derivation lengths. PBKDF2 (Password-Based Key Derivation Function 2) with insufficient key length makes password-derived keys vulnerable to brute force attacks, compromising the security of encrypted data.
Detection Strategy
• The detector scans Dart source code for imports of cryptography packages that contain PBKDF2 functionality
• It identifies function calls to PBKDF2 methods from these imported cryptography packages
• For each PBKDF2 function call found, it examines the arguments passed to determine the key length parameter
• A vulnerability is reported when the key derivation length argument is determined to be below the secure threshold (typically less than 128 bits or 16 bytes)
• The detection focuses specifically on calls where the key length parameter uses unsafe bit lengths that could compromise cryptographic security
Vulnerable code example
import 'package:cryptography/cryptography.dart';
Future<void> weakKeyDerivation() async {
// VULNERABLE: 64 bits is below AES-128 minimum of 128 bits
final pbkdf2 = Pbkdf2(macAlgorithm: Hmac.sha256(), iterations: 600000, bits: 64);
await pbkdf2.deriveKeyFromPassword(password: 'password123', nonce: const [1, 2, 3]);
}✅ Secure code example
import 'package:cryptography/cryptography.dart';
Future<void> weakKeyDerivation() async {
// SECURE: 256 bits meets AES-256 security requirements
final pbkdf2 = Pbkdf2(macAlgorithm: Hmac.sha256(), iterations: 600000, bits: 256);
await pbkdf2.deriveKeyFromPassword(password: 'password123', nonce: const [1, 2, 3]);
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.