Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks.
NIST recommendations will be checked for these use-cases:
Digital Signature Generation and Verification:
p is key length and q the modulus length) n is the key length) Key Agreement:
secp192r1 is a non-compliant curve (n < 224) but secp224k1 is
compliant (n >= 224)) Symmetric keys:
This rule will not raise issues for ciphers that are considered weak (no matter the key size) like DES, Blowfish.
crypto built-in module:
var { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
modulusLength: 1024, // Noncompliant
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}); // Noncompliant: 1024 bits is too short for a RSA key pair
crypto.generateKeyPair('ec', {
namedCurve: 'secp112r2',
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}, callback); // Noncompliant: secp112r2 curve doesn't provide enough security
crypto built-in module:
crypto.generateKeyPair('rsa', {
modulusLength: 2048, // Compliant
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}, callback); // Compliant
crypto.generateKeyPair('ec', {
namedCurve: 'secp224k1',
publicKeyEncoding: { type: 'spki', format: 'pem' },
privateKeyEncoding: { type: 'pkcs8', format: 'pem' }
}, callback); // compliant