Usage of small key size with Blowfish encryption

Overview

• Rule ID: java_lang_blowfish_key_size

• Applicable Languages: Java

• Weakness ID: CWE-326

Description

Using Blowfish encryption with a small key size (128 bits or less) makes your data vulnerable to birthday attacks. This vulnerability occurs because smaller key sizes lack the complexity needed to secure encrypted data effectively. It is recommended to use a larger key size, such as 256 bits, to enhance security.

Risks

• Using Blowfish encryption with a small key size (128 bits or less) heightens the risk of birthday attacks, where attackers could potentially exploit weaknesses in the encryption due to the limited complexity of smaller keys. This could lead to unauthorized access or decryption of sensitive data.

Remediation Guidelines

• Increase the key size when using Blowfish encryption by setting it to 256 bits or higher using the KeyGenerator.init(keySize) method. This adjustment substantially enhances the security of the encryption process.

  Copy

  KeyGenerator keyGenerator = KeyGenerator.getInstance("Blowfish");
  keyGenerator.init(256);
  

• Consider using AES for encryption instead of Blowfish. AES is widely regarded as more secure and recommended as an encryption standard. You can choose AES by initializing the KeyGenerator instance specifically for AES encryption.

  Copy

  KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");

References

• Java Cryptography Architecture docs

• Birthday Attack

• CWE-326: Inadequate Encryption Strength

• A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL