Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks.

NIST recommendations will be checked for these use-cases:

Digital Signature Generation and Verification:

Key Agreement:

Symmetric keys:

This rule will not raise issues for ciphers that are considered weak (no matter the key size) like DES, Blowfish.

Noncompliant Code Example

crypto built-in module:

var { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
  modulusLength: 1024,  // Noncompliant
  publicKeyEncoding:  { type: 'spki', format: 'pem' },
  privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}); // Noncompliant: 1024 bits is too short for a RSA key pair

crypto.generateKeyPair('ec', {
  namedCurve: 'secp112r2',
  publicKeyEncoding:  { type: 'spki', format: 'pem' },
  privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}, callback); // Noncompliant: secp112r2 curve doesn't provide enough security

Compliant Solution

crypto built-in module:

crypto.generateKeyPair('rsa', {
  modulusLength: 2048,  // Compliant
  publicKeyEncoding:  { type: 'spki', format: 'pem' },
  privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}, callback); // Compliant

crypto.generateKeyPair('ec', {
  namedCurve: 'secp224k1',
  publicKeyEncoding:  { type: 'spki', format: 'pem' },
  privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}, callback); // compliant

See