MASTG-TEST-0208: Inappropriate Key Sizes
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Overview¶
In this test case, we will look for the use inappropriate key sizes in Android apps. To do this, we need to focus on the cryptographic frameworks and libraries that are available in Android and the methods that are used to generate, inspect and manage cryptographic keys.
The Java Cryptography Architecture (JCA) provides foundational classes for key generation which are often used directly when portability or compatibility with older systems is a concern.
KeyGenerator: TheKeyGeneratorclass is used to generate symmetric keys including AES, DES, ChaCha20 or Blowfish, as well as various HMAC keys. The key size can be specified using theinit(int keysize)method.KeyPairGenerator: TheKeyPairGeneratorclass is used for generating key pairs for asymmetric encryption (e.g., RSA, EC). The key size can be specified using theinitialize(int keysize)method.
For more information you can consult the MASTG section about "Key Generation".
Steps¶
- Run a static analysis tool such as semgrep on the code and look for uses of the cryptographic functions that generate keys.
Observation¶
The output should contain a list of locations where insufficient key lengths are used.
Evaluation¶
The test case fails if you can find the use of inappropriate key sizes within the source code. For example, a 1024-bit key size is considered weak for RSA encryption and a 128-bit key size is considered weak for AES encryption considering quantum computing attacks.