Main Content

Nonsecure parameters for key generation

Context used for key generation is associated with weak parameters

expand all in page

Description

This defect occurs when you attempt key generation by using an EVP_PKEY_CTX context object that is associated with weak parameters. What constitutes a weak parameter depends on the public key algorithm used. In the DSA algorithm, a weak parameter can be the result of setting an insufficient parameter length.

For instance, you set the number of bits used for DSA parameter generation to 512 bits, and then use the parameters for key generation:

EVP_PKEY_CTX *pctx,*kctx;
EVP_PKEY *params, *pkey;

/* Initializations for parameter generation */
pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, NULL);
params = EVP_PKEY_new();

/* Parameter generation */
ret = EVP_PKEY_paramgen_init(pctx);
ret = EVP_PKEY_CTX_set_dsa_paramgen_bits(pctx, KEYLEN_512BITS);
ret = EVP_PKEY_paramgen(pctx, &params);

/* Initializations for key generation */
kctx = EVP_PKEY_CTX_new(params, NULL);
pkey = EVP_PKEY_new();

/* Key generation */
ret = EVP_PKEY_keygen_init(kctx);
ret = EVP_PKEY_keygen(kctx, &pkey);

Risk

Weak parameters lead to keys that are not sufficiently strong for encryption and expose sensitive information to known ways of attack.

Fix

Depending on the algorithm, use these parameters:

  • Diffie-Hellman (DH): Set the length of the DH prime parameter to 2048 bits.

    ret = EVP_PKEY_CTX_set_dh_paramgen_prime_len(pctx, 2048);
    Set the DH generator to 2 or 5.
    ret = EVP_PKEY_CTX_set_dh_paramgen_generator(pctx, 2);

  • Digital Signature Algorithm (DSA): Set the number of bits used for DSA parameter generation to 2048 bits.

    ret = EVP_PKEY_CTX_set_dsa_paramgen_bits(pctx, 2048);

  • RSA: Set the RSA key length to 2048 bits.

    ret = EVP_PKEY_CTX_set_rsa_keygen_bits(kctx, 2048);

  • Elliptic curve (EC): Avoid using curves that are known to be broken, for instance, X9_62_prime256v1. Use, for instance, sect239k1.

    ret = EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pctx, NID_sect239k1);

Examples

expand all

#include <stddef.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>

#define fatal_error() exit(-1)

int ret;
int func(EVP_PKEY *pkey){
  EVP_PKEY_CTX * ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); 
  if (ctx == NULL) fatal_error();

  ret = EVP_PKEY_keygen_init(ctx);
  if (ret <= 0) fatal_error();
  ret = EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 512); 
  if (ret <= 0) fatal_error();
  return EVP_PKEY_keygen(ctx, &pkey); 
}

In this example, the RSA key generation uses 512 bits, which makes the generated key vulnerable to attacks.

Correction — Use 2048 bits

Use 2048 bits for RSA key generation.

#include <stddef.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>

#define fatal_error() exit(-1)

int ret;
int func(EVP_PKEY *pkey){
  EVP_PKEY_CTX * ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); 
  if (ctx == NULL) fatal_error();

  ret = EVP_PKEY_keygen_init(ctx);
  if (ret <= 0) fatal_error();
  ret = EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048); 
  if (ret <= 0) fatal_error();
  return EVP_PKEY_keygen(ctx, &pkey); 
}

Result Information

Group: Cryptography
Language: C | C++
Default: Off
Command-Line Syntax: CRYPTO_PKEY_WEAK_PARAMS
Impact: Medium

Version History

Introduced in R2018a

See Also

| | | | | | |

Topics

External Websites