Insecure cryptography Critical

Misuse of cryptography-related APIs can create security vulnerabilities. This includes algorithms with known weaknesses, certain padding modes, lack of integrity checks, insufficiently large key sizes, and insecure combinations of the aforementioned.

Detector ID
python/insecure-cryptography@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def cryptography_noncompliant():
2    from cryptography.hazmat.primitives import hashes, hmac
3    import secrets
4    # Noncompliant: keysize too small for this algorithm.
5    key = secrets.token_bytes(12)
6    hash_key = hmac.HMAC(key, algorithm=hashes.SHA512_224())

Compliant example

1def cryptography_compliant():
2    from cryptography.hazmat.primitives import hashes, hmac
3    import secrets
4    # Compliant: keysize sufficient for this algorithm.
5    key = secrets.token_bytes(48)
6    hash_key = hmac.HMAC(key, algorithm=hashes.SHA512_224())