Kotlin Insecure Key Pair Generation
Description
Detects potentially insecure cryptographic key pair generation in code. Using weak parameters or default values during key pair initialization can result in predictable or breakable keys, compromising the cryptographic security of the application.
Detection Strategy
• Identifies calls to initialize() method for key pair generation
• Checks if the initialization parameters or argument list contains potentially insecure values
• Reports a vulnerability when key pair initialization is done without proper security parameters
• Validates both the method call and its arguments for secure cryptographic practices
Vulnerable code example
import javax.crypto.KeyGenerator
import java.security.KeyPairGenerator
// RSA key size too small (minimum recommended is 2048 bits)
val keyPairGen = KeyPairGenerator.getInstance("RSA")
keyPairGen.initialize(1024) // Vulnerable: Using weak RSA key size of 1024 bits
// AES key size too small (minimum recommended is 128 bits)...✅ Secure code example
import javax.crypto.KeyGenerator
import java.security.KeyPairGenerator
// Initialize RSA with secure key size
val keyPairGen = KeyPairGenerator.getInstance("RSA")
keyPairGen.initialize(2048) // Safe: Using recommended minimum RSA key size
// Initialize AES with secure key size...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.