# Inadequate Encryption Strength (CWE-326)

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

- Prevalence: Medium 1 language covered
- Impact: High 2 high-severity rules
- Prevention: Documented 2 fix examples

**OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2

## Description

Using encryption with insufficient key lengths or deprecated algorithms provides a false sense of security. Attackers with sufficient resources can break weak encryption.

## Prevention

### Python

Use strong secrets from environment variables for JWT signing, never hardcode

Use RSA 2048+ bits or AES-256 with cryptographically secure key generation

## Warning Signs

- [HIGH] JWT tokens signed with weak, hardcoded, or default secret keys that can be brute-forced
- [HIGH] weak cryptographic key generation: insufficient key sizes, predictable
keys, or using weak algorithm

## Consequences

- Read Application Data
- Bypass Protection Mechanism

## Mitigations

- Use AES-256 for symmetric encryption
- Use RSA-2048+ or ECDSA-256+ for asymmetric encryption
- Follow current cryptographic standards and guidelines

## Detection

- Total rules: 2
- Languages: python

## Rules by Language

### Python (2 rules)

- **JWT Signed with Weak Secret** [HIGH]: Detects JWT tokens signed with weak, hardcoded, or default secret keys that can be brute-forced.
  - Remediation: Use strong secrets from environment variables for JWT signing.

```python
SECRET_KEY = os.environ['JWT_SECRET_KEY']
token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
```

Learn more: https://shoulder.dev/learn/python/cwe-326/jwt-weak-secret
- **Weak Cryptographic Key Generation** [HIGH]: Detects weak cryptographic key generation: insufficient key sizes, predictable
keys, or using weak algorithms. Cryptographic keys must be sufficiently long
and generated with secure random sources.
  - Remediation: Use RSA 2048+ bits or AES-256 with cryptographically secure key generation.

```python
from Crypto.PublicKey import RSA
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes

# RSA: minimum 2048-bit keys
key = RSA.generate(2048)

# AES-256: 32-byte key from secure source
key = get_random_bytes(32)
cipher = AES.new(key, AES.MODE_GCM)
ciphertext, tag = cipher.encrypt_and_digest(data)
```

Learn more: https://shoulder.dev/learn/python/cwe-326/weak-key-generation