SV.WEAK.KEYS.DSA

Insufficient key length in Cryptographic Algorithm

Klocwork reports a SV.WEAK.KEYS.DSA defect when the DSA cryptographic algorithm is used with a key that is of insufficient size.

Vulnerability and risk

Small key size can lead to algorithm breaks that can then lead to the leakage of sensitive data. Algorithms need to be robust against the powerful computing techniques that are used to perform brute force attacks.

Mitigation and prevention

Avoid implementing DSA algorithms with keys that are less than 2048 bits.

Vulnerable code example

Copy
import java.security.KeyPairGenerator;
 
class KeyGenDSATest {
  public static void main(String[] args) {
    KeyPairGenerator generatorDSA = KeyPairGenerator.getInstance("DSA");
    generatorDSA.initialize(1024);  // SV.WEAK.KEYS.DSA (!)
  }
}

Klocwork reports an SV.WEAK.KEYS.DSA defect on line 6, indicating, "Cryptographic Algorithm uses key less than 2048 bits". A DSA algorithm needs a key that is at least 2048 bits.

Fixed code example

Copy
import java.security.KeyPairGenerator;
 
class KeyGenDSATest {
  public static void main(String[] args) {
    KeyPairGenerator generatorDSA = KeyPairGenerator.getInstance("DSA");
    generatorDSA.initialize(2048);  // no SV.WEAK.KEYS.DSA
  }
}

Klocwork no longer reports a defect because the DSA algorithm uses a key that is 2048 bits.

Security training

Application security training materials provided by Secure Code Warrior.