Java Insecure Key Rsa
Description
Detects the use of weak or insecure RSA key configurations in Java applications. The vulnerability occurs when RSAKeyGenParameterSpec is instantiated with insufficient key sizes or weak parameters, which could make the cryptographic implementation susceptible to attacks.
Detection Strategy
• Look for instantiations or uses of RSAKeyGenParameterSpec class (including fully qualified names)
• Examine the constructor arguments passed to RSAKeyGenParameterSpec
• Flag cases where the key size parameter is less than recommended secure values
• Report vulnerability when RSAKeyGenParameterSpec is used with weak/insecure parameters
Vulnerable code example
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;
public class CryptoExample {
public static void main(String[] args) throws Exception {
// Insecure: Using weak MD5 hash algorithm
MessageDigest md = MessageDigest.getInstance("MD5");...✅ Secure code example
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import java.security.MessageDigest;
import java.security.SecureRandom;
public class CryptoExample {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.