diff --git a/core/c/mpw-algorithm_v0.c b/core/c/mpw-algorithm_v0.c
index 69d7c22c..cd2faa1c 100644
--- a/core/c/mpw-algorithm_v0.c
+++ b/core/c/mpw-algorithm_v0.c
@@ -190,8 +190,8 @@ static const char *mpw_sitePasswordFromDerive_v0(
                 return NULL;
             }
             int resultParamInt = atoi( resultParam );
-            if (resultParamInt <= 0 || resultParamInt > UINT16_MAX || resultParamInt % 8 != 0) {
-                err( "Parameter is not a valid key size: %s\n", resultParam );
+            if (resultParamInt < 128 || resultParamInt > 512 || resultParamInt % 8 != 0) {
+                err( "Parameter is not a valid key size (should be 128 - 512): %s\n", resultParam );
                 return NULL;
             }
             uint16_t keySize = (uint16_t)(resultParamInt / 8);
diff --git a/core/c/mpw-util.c b/core/c/mpw-util.c
index 40e7b255..682c8511 100644
--- a/core/c/mpw-util.c
+++ b/core/c/mpw-util.c
@@ -164,7 +164,10 @@ uint8_t const *mpw_kdf_blake2b(const size_t subkeySize, const uint8_t *key, cons
         return NULL;
 
 #if HAS_SODIUM
-    if (personal && strlen( personal ) > crypto_generichash_blake2b_PERSONALBYTES) {
+    if (keySize < crypto_generichash_blake2b_KEYBYTES_MIN || keySize > crypto_generichash_blake2b_KEYBYTES_MAX ||
+        subkeySize < crypto_generichash_blake2b_KEYBYTES_MIN || subkeySize > crypto_generichash_blake2b_KEYBYTES_MAX ||
+        contextSize < crypto_generichash_blake2b_BYTES_MIN || contextSize > crypto_generichash_blake2b_BYTES_MAX ||
+        (personal && strlen( personal ) > crypto_generichash_blake2b_PERSONALBYTES)) {
         errno = EINVAL;
         free( subkey );
         return NULL;