# Inadequate Encryption Strength (CWE-326)

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

**Stack:** Python

- Prevalence: मध्यम 1 भाषाएँ कवर की गईं
- Impact: उच्च 2 उच्च गंभीरता वाले नियम
- Prevention: प्रलेखित 2 फिक्स उदाहरण

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Using encryption with insufficient key lengths or deprecated algorithms provides a false sense of security. Attackers with sufficient resources can break weak encryption.

## Prevention

### Python

Use strong secrets from environment variables for JWT signing, never hardcode

Use RSA 2048+ bits or AES-256 with cryptographically secure key generation

## Warning Signs

- [HIGH] JWT tokens signed with weak, hardcoded, or default secret keys that can be brute-forced
- [HIGH] weak cryptographic key generation: insufficient key sizes, predictable
keys, or using weak algorithm

## Consequences

- एप्लिकेशन डेटा पढ़ना
- सुरक्षा तंत्र को बायपास करना

## Mitigations

- सममित एनक्रिप्शन के लिए AES-256 का उपयोग करें
- असममित एनक्रिप्शन के लिए RSA-2048+ या ECDSA-256+ का उपयोग करें
- वर्तमान क्रिप्टोग्राफ़िक मानकों और दिशानिर्देशों का पालन करें

## Detection

- Total rules: 2
- Languages: python

## Rules by Language

### Python (2 rules)

- **JWT Signed with Weak Secret** [HIGH]: Detects JWT tokens signed with weak, hardcoded, or default secret keys that can be brute-forced.
  - Remediation: Use strong secrets from environment variables for JWT signing.

```python
SECRET_KEY = os.environ['JWT_SECRET_KEY']
token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
```

Learn more: https://shoulder.dev/learn/python/cwe-326/jwt-weak-secret
- **Weak Cryptographic Key Generation** [HIGH]: Detects weak cryptographic key generation: insufficient key sizes, predictable
keys, or using weak algorithms. Cryptographic keys must be sufficiently long
and generated with secure random sources.
  - Remediation: Use RSA 2048+ bits or AES-256 with cryptographically secure key generation.

```python
from Crypto.PublicKey import RSA
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes

# RSA: minimum 2048-bit keys
key = RSA.generate(2048)

# AES-256: 32-byte key from secure source
key = get_random_bytes(32)
cipher = AES.new(key, AES.MODE_GCM)
ciphertext, tag = cipher.encrypt_and_digest(data)
```

Learn more: https://shoulder.dev/learn/python/cwe-326/weak-key-generation