Most of cryptographic systems require a sufficient key size to be robust against brute-force attacks.
NIST recommendations will be checked for these use-cases:
Digital Signature Generation and Verification:
p is key length and q the modulus length) n is the key length) Key Agreement:
secp192r1 is a non-compliant curve (n < 224) but secp224k1 is
compliant (n >= 224)) Symmetric keys:
This rule will not raise issues for ciphers that are considered weak (no matter the key size) like DES, Blowfish.
using System;
using System.Security.Cryptography;
namespace MyLibrary
{
public class MyCryptoClass
{
static void Main()
{
var dsa1 = new DSACryptoServiceProvider(); // Noncompliant - default key size is 1024
dsa1.KeySize = 2048; // Noncompliant - the setter does not update the underlying key size for the DSACryptoServiceProvider class
var dsa2 = new DSACryptoServiceProvider(2048); // Noncompliant - cannot create DSACryptoServiceProvider with a key size bigger than 1024
var rsa1 = new RSACryptoServiceProvider(); // Noncompliant - default key size is 1024
rsa1.KeySize = 2048; // Noncompliant - the setter does not update the underlying key size for the RSACryptoServiceProvider class
var rsa2 = new RSACng(1024); // Noncompliant
// ...
}
}
}
KeySize property of DSACryptoServiceProvider and RSACryptoServiceProvider does not change the value of underlying KeySize for the algorithm. Property setter is ignored without error and KeySize can be changed only by using constructor overload. See:
using System;
using System.Security.Cryptography;
namespace MyLibrary
{
public class MyCryptoClass
{
static void Main()
{
var dsa1 = new DSACng(); // Compliant - default key size is 2048
var dsa2 = new DSACng(2048); // Compliant
var rsa1 = new RSACryptoServiceProvider(2048); // Compliant
var rsa2 = new RSACng(); // Compliant - default key size is 2048
// ...
}
}
}