Cryptographic Issues encompass weaknesses in how software chooses, configures, and implements cryptographic algorithms and protocols. These flaws can range…
Cryptographic Issues encompass weaknesses in how software chooses, configures, and implements cryptographic algorithms and protocols. These flaws can range from using outdated or weak ciphers to improper key management, and they undermine the confidentiality, integrity, and authenticity guarantees that cryptography is meant to provide. Even a single cryptographic mistake can render security controls ineffective.
02How It Happens
Cryptographic weaknesses typically arise from one or more of these patterns: selecting algorithms known to be broken or deprecated (e.g., MD5, DES, RC4), using cryptographic functions with insecure default configurations (e.g., ECB mode instead of authenticated encryption), failing to properly generate, store, or rotate cryptographic keys, or implementing custom cryptographic logic instead of relying on vetted libraries. Developers may also misunderstand the difference between encryption (confidentiality) and authentication, leading to unencrypted or unauthenticated data transmission. Additionally, hardcoding keys, storing them in version control, or using predictable key derivation can expose sensitive material even if the algorithm itself is sound.
03Real-World Impact
Compromised cryptography can lead to complete loss of confidentiality—attackers can decrypt sensitive data such as passwords, payment information, or personal records. Weak or missing authentication mechanisms allow attackers to forge or tamper with data without detection. Session tokens encrypted with broken algorithms can be forged, leading to account takeover. In regulated industries, cryptographic failures often trigger compliance violations and legal liability. The damage is often silent: data may be exfiltrated without any visible sign of compromise.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import hashlib
import base64
# Storing password using MD5 (cryptographically broken)
password = "user_password"
hashed = hashlib.md5(password.encode()).hexdigest()
# Encrypting data with hardcoded key and ECB mode (no authentication)
from Crypto.Cipher import AES
key = b"hardcoded_16byte_key_1234567890"
cipher = AES.new(key, AES.MODE_ECB)
ciphertext = cipher.encrypt(b"sensitive_data__")
Why it's vulnerable: MD5 is cryptographically broken and unsuitable for password hashing. ECB mode is deterministic and leaks patterns in plaintext. The hardcoded key is exposed in source code and offers no authentication.
Fixed pattern
import hashlib
from argon2 import PasswordHasher
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Protocol.KDF import PBKDF2
# Hashing password with Argon2 (modern, resistant to GPU/ASIC attacks)
ph = PasswordHasher()
hashed = ph.hash("user_password")
# Encrypting with AES-GCM (authenticated encryption) and random IV
key = get_random_bytes(32) # Generate securely; store separately
iv = get_random_bytes(16)
cipher = AES.new(key, AES.MODE_GCM, nonce=iv)
ciphertext, tag = cipher.encrypt_and_digest(b"sensitive_data__")
Vulnerable pattern
<?php
// Using MD5 for password hashing (broken)
$password = "user_password";
$hashed = md5($password);
// Storing API key in plaintext in config file
define('API_KEY', 'sk_live_1234567890abcdef');
// Encrypting without authentication
$key = "hardcoded_key_16";
$data = "sensitive_data__";
$encrypted = openssl_encrypt($data, 'aes-128-ecb', $key, OPENSSL_RAW_DATA);
?>
Why it's vulnerable: MD5 is unsuitable for passwords and can be reversed via rainbow tables. Hardcoded keys in source files are exposed to anyone with repository access. ECB mode is deterministic and provides no authentication.
Fixed pattern
<?php
// Using bcrypt for password hashing (modern, adaptive)
$password = "user_password";
$hashed = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
// Storing API key in environment variable (not in code)
$api_key = getenv('API_KEY');
// Encrypting with AES-256-GCM (authenticated encryption)
$key = random_bytes(32); // Generate securely; store separately
$iv = random_bytes(16);
$data = "sensitive_data__";
$encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);
// Store $iv and $tag alongside $encrypted for decryption
?>
05Prevention Checklist
Use only modern, vetted cryptographic algorithms: AES (not DES/RC4), SHA-256 or SHA-3 (not MD5/SHA-1), and bcrypt/Argon2 (not MD5/SHA1) for passwords.
Always use authenticated encryption modes (GCM, ChaCha20-Poly1305) rather than unauthenticated modes (ECB, CBC without HMAC).
Never hardcode cryptographic keys in source code; use environment variables, secure key management services, or hardware security modules.
Generate cryptographic keys using a cryptographically secure random number generator (os.urandom(), random_bytes(), not rand() or random.random()).
Implement proper key rotation policies and retire old keys according to your security requirements.
Use established cryptographic libraries (OpenSSL, libsodium, cryptography.io) rather than implementing custom encryption logic.
06Signs You May Already Be Affected
Review your codebase for use of deprecated algorithms (MD5, SHA-1, DES, RC4) in security-critical functions. Check configuration files and environment setup for hardcoded keys, passwords, or API credentials. Examine logs for unusual decryption failures or authentication errors that might indicate tampering. If you cannot articulate why each cryptographic choice was made, or if you're unsure whether your encryption includes authentication, a security audit is warranted.