Skip to content

fix: Use of a weak cryptographic key #57478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Use of a weak cryptographic key #57478

wants to merge 1 commit into from

Conversation

odaysec
Copy link

@odaysec odaysec commented Mar 15, 2025

node/benchmark/crypto/keygen.js

Lines 45 to 48 in 72aa2ea

generateKeyPairSync('dsa', {
modulusLength: 1024,
divisorLength: 160,
});

Modern encryption relies on it being computationally infeasible to break the cipher and decode a message without the key. As computational power increases, the ability to break ciphers grows and keys need to become larger.

References

RSA
AES
NodeJS
Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
Key size
CWE-326

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/performance

@nodejs-github-bot nodejs-github-bot added benchmark Issues and PRs related to the benchmark subsystem. crypto Issues and PRs related to the crypto subsystem. labels Mar 15, 2025
@aduh95
Copy link
Contributor

aduh95 commented Mar 15, 2025

Does it matter for a benchmark though?

mcollina
mcollina reviewed Mar 15, 2025
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this matter at all.

However an argument can be made that it represents a more real benchmark.

@tniessen
Copy link
Member

It does not matter, except that OpenSSL might at some point reject these parameters.

On a side note, neither DSA nor RSA are particularly future-proof algorithms, and at the same time, both have slow key generation, so benchmarking only these two seems like an odd choice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcollina mcollina mcollina left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
benchmark Issues and PRs related to the benchmark subsystem. crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@odaysec @nodejs-github-bot @aduh95 @tniessen @mcollina