Php Weak Encryption Size
Description
Detects the use of weak RSA key sizes in PHP's openssl_pkey_new function. RSA keys smaller than 2048 bits are considered cryptographically weak and can be broken by modern factoring attacks, exposing encrypted data to unauthorized decryption.
Detection Strategy
• Identify calls to PHP's openssl_pkey_new function
• Examine the private_key_bits parameter in the configuration array passed to the function
• Flag cases where the key size is below 2048 bits (e.g., 512 or 1024)
• Trace variables to detect when the key size is assigned via a variable holding a weak value
• Also detect when the configuration array is passed via a variable
Vulnerable code example
<?php
// VULNERABLE: RSA with 512-bit key — too weak
function generateWeakKey512(): void
{
openssl_pkey_new([
"private_key_bits" => 512,
"private_key_type" => OPENSSL_KEYTYPE_RSA,...✅ Secure code example
<?php
// SAFE: RSA with 2048-bit key — minimum accepted
function generateSafeKey2048(): void
{
openssl_pkey_new([
"private_key_bits" => 2048,
"private_key_type" => OPENSSL_KEYTYPE_RSA,...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.