When generating cryptographic keys (or key pairs), it is important to use a key length that provides enough entropy against brute-force attacks.
For the Blowfish
algorithm the key should be at least 128 bits long, while for the RSA
algorithm it should be at least 2048
bits long.
This rule raises an issue when a Blowfish key generator or RSA key-pair generator is initialized with too small a length parameter.
KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); keyGen.init(64); // Noncompliant KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); keyPairGen.initialize(512); // Noncompliant
KeyGenerator keyGen = KeyGenerator.getInstance("Blowfish"); keyGen.init(128); KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA"); keyPairGen.initialize(2048);