Dart Cryptography Weak Rsa Key Size
Description
This detector identifies the use of weak RSA key sizes in Dart applications using the cryptography package. RSA keys smaller than 2048 bits are considered cryptographically weak and vulnerable to factorization attacks, compromising the security of encrypted data and digital signatures.
Detection Strategy
• The code must import the cryptography package (package:cryptography)
• The file must not be a test file
• There must be a method call ending with the RSA sink method name
• At least one argument to the RSA method call must specify an unsafe modulus length (key size below secure threshold)
• The vulnerability is reported on the specific method call that creates RSA keys with weak key sizes
Vulnerable code example
import 'package:cryptography/cryptography.dart';
// VULNERABLE: 1024 bits is below NIST SP 800-131A minimum
Future<void> weakRsaKeys() async {
final rsa = RsaSsaPkcs1v15.sha256();
final keyPair = await rsa.newKeyPair(modulusLength: 1024); // Weak key size
// VULNERABLE: RSA-PSS also requires 2048+ bits...✅ Secure code example
import 'package:cryptography/cryptography.dart';
// SECURE: 2048+ bits meets NIST SP 800-131A minimum
Future<void> secureRsaKeys() async {
final rsa = RsaSsaPkcs1v15.sha256();
final keyPair = await rsa.newKeyPair(modulusLength: 2048); // NIST minimum
// SECURE: RSA-PSS with adequate key strength...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.