Dart Pointycastle Argon2 Weak Hash Length
Description
This detector identifies Argon2 password hashing implementations in Dart using the PointyCastle library that configure weak derived key lengths. A weak derived key length (typically less than 32 bytes) reduces the cryptographic strength of password hashes, making them more vulnerable to brute force and dictionary attacks.
Detection Strategy
• The detector scans Dart source code for imports of the PointyCastle cryptographic library, specifically looking for Argon2 parameter configuration
• It identifies function calls that create or configure Argon2 parameters where the PointyCastle library is being used
• The detector examines the 'desiredKeyLength' named parameter in Argon2 configuration calls
• A vulnerability is reported when the desiredKeyLength parameter is set to a value that is considered cryptographically weak (typically less than 32 bytes)
• The detection only triggers when both the PointyCastle Argon2 functionality is imported AND a weak key length is explicitly configured
Vulnerable code example
import 'dart:typed_data';
import 'package:pointycastle/export.dart';
// VULNERABLE: Argon2 key derivation with insufficient output length
Uint8List weakKeyDerivation(Uint8List salt, Uint8List password) {
final params = Argon2Parameters(
Argon2Parameters.ARGON2_id,
salt,...✅ Secure code example
import 'dart:typed_data';
import 'package:pointycastle/export.dart';
// SAFE: Argon2 key derivation with secure output length
Uint8List secureKeyDerivation(Uint8List salt, Uint8List password) {
final params = Argon2Parameters(
Argon2Parameters.ARGON2_id,
salt,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.