Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks.
NIST recommendations will be checked for these use-cases:
Digital Signature Generation and Verification:
p
is key length and q
the modulus length) n
is the key length) Key Agreement:
secp192r1
is a non-compliant curve (n
< 224) but secp224k1
is
compliant (n
>= 224)) Symmetric keys:
This rule will not raise issues for ciphers that are considered weak (no matter the key size) like DES
, Blowfish
.
KeyPairGenerator keyPairGen1 = KeyPairGenerator.getInstance("RSA"); keyPairGen1.initialize(1024); // Noncompliant KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC"); ECGenParameterSpec ecSpec1 = new ECGenParameterSpec("secp112r1"); // Noncompliant keyPairGen5.initialize(ecSpec1); KeyGenerator keyGen1 = KeyGenerator.getInstance("AES"); keyGen1.init(64); // Noncompliant
KeyPairGenerator keyPairGen6 = KeyPairGenerator.getInstance("RSA"); keyPairGen6.initialize(2048); // Compliant KeyPairGenerator keyPairGen5 = KeyPairGenerator.getInstance("EC"); ECGenParameterSpec ecSpec10 = new ECGenParameterSpec("secp256r1"); // compliant keyPairGen5.initialize(ecSpec10); KeyGenerator keyGen2 = KeyGenerator.getInstance("AES"); keyGen2.init(128); // Compliant