Closed akwick closed 7 months ago
I have already fixed this on my local repo and plan to address it in the next ESAPI release (which is waiting on a dependency). But if anyone is concerned about this in the meantime, just change the ESAPI.properties property Encryptor.DigitalSignatureKeyLength
to something like 2048.
Addressed by PR #809.
Closed per PR #809. Will be released as part of ESAPI 2.5.3.0.
Is your feature request related to a problem? Please describe. I think that relying on secure defaults is a good approach to minimize insecure code.
Describe the solution you'd like A user of ESAPI can adapt the key length used in their ESAPI.properties to a desired key length. However, the default is 1024, e.g., in code. I would like to see a secure default, such as 2048. Standards, such as the BSI technical guidelines TR-02102-1 state that key lengths of 1024 for signatures should not be used.
Describe alternatives you've considered including other security libraries An alternative could be a warning that a key length of 1024 is considered insecure for applications that are used now.
Additional context We, @schlichtig and I, identified this usage during sampling JCA usages and manually reviewing them for the project CamBench. I reached out to @kwwall and @xeno6696 before opening the issue.