Skip to content

MASTG-DEMO-0012: Cryptographic Key Generation With Insufficient Key Length

Download MASTG-DEMO-0012 APK Open MASTG-DEMO-0012 Folder Build MASTG-DEMO-0012 APK

Sample

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
package org.owasp.mastestapp

import android.util.Log
import android.content.Context
import android.security.keystore.KeyProperties
import android.util.Base64
import java.security.KeyPairGenerator
import java.security.SecureRandom
import javax.crypto.KeyGenerator
import javax.crypto.SecretKey

class MastgTest (private val context: Context){

    fun mastgTest(): String {

        val generator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA)
        generator.initialize(1024, SecureRandom())
        val keypair = generator.genKeyPair()
        Log.d("Keypair generated RSA", Base64.encodeToString(keypair.public.encoded, Base64.DEFAULT))

        val keyGen1 = KeyGenerator.getInstance("AES")
        keyGen1.init(128)
        val secretKey1: SecretKey = keyGen1.generateKey()

        val keyGen2 = KeyGenerator.getInstance("AES")
        keyGen2.init(256)
        val secretKey2: SecretKey = keyGen2.generateKey()

        return "Generated RSA Key:\n " + Base64.encodeToString(keypair.public.encoded, Base64.DEFAULT)+"Generated AES Key1\n "+ Base64.encodeToString(secretKey1.encoded, Base64.DEFAULT)+ "Generated AES Key2\n "+ Base64.encodeToString(secretKey2.encoded, Base64.DEFAULT);

    }

}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package org.owasp.mastestapp;

import android.content.Context;
import android.util.Base64;
import android.util.Log;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.SecureRandom;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;

/* compiled from: MastgTest.kt */
@Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0007"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
/* loaded from: classes4.dex */
public final class MastgTest {
    public static final int $stable = 8;
    private final Context context;

    public MastgTest(Context context) {
        Intrinsics.checkNotNullParameter(context, "context");
        this.context = context;
    }

    public final String mastgTest() {
        KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
        generator.initialize(1024, new SecureRandom());
        KeyPair keypair = generator.genKeyPair();
        Log.d("Keypair generated RSA", Base64.encodeToString(keypair.getPublic().getEncoded(), 0));
        KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
        keyGen1.init(128);
        SecretKey secretKey1 = keyGen1.generateKey();
        Intrinsics.checkNotNullExpressionValue(secretKey1, "generateKey(...)");
        KeyGenerator keyGen2 = KeyGenerator.getInstance("AES");
        keyGen2.init(256);
        SecretKey secretKey2 = keyGen2.generateKey();
        Intrinsics.checkNotNullExpressionValue(secretKey2, "generateKey(...)");
        return "Generated RSA Key:\n " + Base64.encodeToString(keypair.getPublic().getEncoded(), 0) + "Generated AES Key1\n " + Base64.encodeToString(secretKey1.getEncoded(), 0) + "Generated AES Key2\n " + Base64.encodeToString(secretKey2.getEncoded(), 0);
    }
}

Steps

Let's run our semgrep rule against the sample code.

../../../../rules/mastg-android-key-generation-with-insufficient-key-length.yml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
rules:
  - id: mastg-android-key-generation-with-insufficient-key-length
    severity: WARNING
    languages:
      - java
    metadata:
      summary: This rule looks for methods that create keys with insufficient length in encryption algorithms.
    message: "[MASVS-CRYPTO] Make sure that the key size is according to security best practices"
    pattern-either:
      - pattern: |
          $K = $G.getInstance("RSA");
          ...
          $K.initialize(1024, new SecureRandom());
      - pattern: |
          $K = $G.getInstance("RSA");
          ...
          $K.initialize(512, new SecureRandom());
      - pattern: |
          $K = $G.getInstance("AES");
          ...
          $K.init(128);
run.sh
1
NO_COLOR=true semgrep -c ../../../../rules/mastg-android-key-generation-with-insufficient-key-length.yml ./MastgTest_reversed.java > output.txt

Observation

The rule has identified some instances in the code file where cryptographic keys are being generated. The specified line numbers can be located in the reverse-engineered code for further investigation and remediation.

output.txt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
┌─────────────────┐
 2 Code Findings 
└─────────────────┘

    MastgTest_reversed.java
    ❯❱ rules.mastg-android-key-generation-with-insufficient-key-length
          [MASVS-CRYPTO] Make sure that the key size is according to security best practices

           27 KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
           28 generator.initialize(1024, new SecureRandom());
            ⋮┆----------------------------------------
           31 KeyGenerator keyGen1 = KeyGenerator.getInstance("AES");
           32 keyGen1.init(128);

Evaluation

The test fails because the key size of the RSA key is set to 1024 bits, and the size of the AES key is set to 128, which is considered insufficient in both cases.