Skip to content

weak-cryptographic-key (S505)#

Derived from the flake8-bandit linter.

This rule is unstable and in preview. The --preview flag is required for use.

What it does#

Checks for uses of cryptographic keys with vulnerable key sizes.

Why is this bad?#

Small keys are easily breakable. For DSA and RSA, keys should be at least 2048 bits long. For EC, keys should be at least 224 bits long.

Example#

from cryptography.hazmat.primitives.asymmetric import dsa, ec

dsa.generate_private_key(key_size=512)
ec.generate_private_key(curve=ec.SECT163K1)

Use instead: 

from cryptography.hazmat.primitives.asymmetric import dsa, ec

dsa.generate_private_key(key_size=4096)
ec.generate_private_key(curve=ec.SECP384R1)

References#