Cryptographic Failures
This skill should be used when the user asks about "cryptographic failures", "weak encryption", "hardcoded secrets", "insecure random", "MD5", "SHA1", "weak hashing", or needs to find crypto-related vulnerabilities during whitebox security review.
Best use case
Cryptographic Failures is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
This skill should be used when the user asks about "cryptographic failures", "weak encryption", "hardcoded secrets", "insecure random", "MD5", "SHA1", "weak hashing", or needs to find crypto-related vulnerabilities during whitebox security review.
Teams using Cryptographic Failures should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/cryptographic-failures/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Cryptographic Failures Compares
| Feature / Agent | Cryptographic Failures | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
This skill should be used when the user asks about "cryptographic failures", "weak encryption", "hardcoded secrets", "insecure random", "MD5", "SHA1", "weak hashing", or needs to find crypto-related vulnerabilities during whitebox security review.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Cryptographic Failures (OWASP A02)
## Purpose
Provide detection patterns for cryptographic vulnerabilities including weak algorithms, hardcoded secrets, insufficient key lengths, and insecure random number generation.
## OWASP Top 10 Mapping
**Category**: A02 - Cryptographic Failures
**CWEs**:
- CWE-326: Inadequate Encryption Strength
- CWE-327: Use of Broken or Risky Crypto Algorithm
- CWE-328: Reversible One-Way Hash
- CWE-330: Use of Insufficiently Random Values
- CWE-338: Use of Cryptographically Weak PRNG
- CWE-798: Use of Hardcoded Credentials
## When to Use
Activate this skill when:
- Reviewing password hashing implementations
- Checking encryption algorithm usage
- Looking for hardcoded secrets/API keys
- Auditing random number generation
- Verifying key management practices
---
## Weak Hash Algorithms
### Detection Patterns
```bash
# MD5 usage (broken for security)
grep -rniE "md5\(|MD5\.|hashlib\.md5|MessageDigest.*MD5|crypto\.MD5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# SHA1 usage (deprecated for security)
grep -rniE "sha1\(|SHA1\.|hashlib\.sha1|MessageDigest.*SHA-1|crypto\.SHA1" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Password hashing with weak algorithms
grep -rniE "password.*md5|password.*sha1|hash.*password.*md5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```
### Language-Specific Patterns
#### Python
```bash
# Weak hashing
grep -rniE "hashlib\.md5|hashlib\.sha1" --include="*.py"
# Should use: bcrypt, argon2, scrypt
grep -rniE "bcrypt|argon2|scrypt" --include="*.py"
```
**Vulnerable**:
```python
# VULNERABLE: MD5 for passwords
password_hash = hashlib.md5(password.encode()).hexdigest()
```
**Secure**:
```python
# SAFE: bcrypt for passwords
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
```
#### Java
```bash
# Weak MessageDigest
grep -rniE "MessageDigest\.getInstance.*MD5|MessageDigest\.getInstance.*SHA-1" --include="*.java"
# Should use: BCrypt, Argon2, PBKDF2
grep -rniE "BCrypt|Argon2|PBKDF2|SecretKeyFactory" --include="*.java"
```
#### Go
```bash
# Weak crypto imports
grep -rniE "crypto/md5|crypto/sha1" --include="*.go"
# Should use: bcrypt, argon2
grep -rniE "golang\.org/x/crypto/bcrypt|golang\.org/x/crypto/argon2" --include="*.go"
```
#### PHP
```bash
# Weak hashing
grep -rniE "md5\(|sha1\(" --include="*.php"
# Should use: password_hash
grep -rniE "password_hash|PASSWORD_BCRYPT|PASSWORD_ARGON2" --include="*.php"
```
#### TypeScript
```bash
# Weak crypto
grep -rniE "createHash.*md5|createHash.*sha1" --include="*.ts"
# Should use: bcrypt
grep -rniE "bcrypt\.hash|argon2" --include="*.ts"
```
---
## Weak Encryption Algorithms
### Detection Patterns
```bash
# DES (broken)
grep -rniE "DES|DESede|TripleDES" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# RC4 (broken)
grep -rniE "RC4|ARC4|ARCFOUR" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# ECB mode (insecure)
grep -rniE "ECB|AES/ECB|MODE_ECB" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Blowfish (deprecated)
grep -rniE "Blowfish|BLOWFISH" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```
### Secure Alternatives
| Weak | Secure Alternative |
|------|-------------------|
| DES | AES-256 |
| 3DES | AES-256 |
| RC4 | ChaCha20 or AES-GCM |
| ECB mode | GCM or CBC with HMAC |
| Blowfish | AES-256 |
| RSA-1024 | RSA-2048+ or ECDSA |
---
## Hardcoded Secrets
### Detection Patterns
```bash
# API keys
grep -rniE "api[_-]?key\s*[=:]\s*['\"][a-zA-Z0-9]{16,}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Passwords
grep -rniE "password\s*[=:]\s*['\"][^'\"]+['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Secret keys
grep -rniE "secret[_-]?key\s*[=:]\s*['\"][^'\"]+['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# AWS credentials
grep -rniE "AKIA[0-9A-Z]{16}|aws_secret_access_key" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env"
# Private keys
grep -rniE "BEGIN RSA PRIVATE KEY|BEGIN PRIVATE KEY|BEGIN EC PRIVATE KEY" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.pem"
# JWT secrets
grep -rniE "jwt[_-]?secret\s*[=:]\s*['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```
### High-Entropy String Detection
```bash
# Long alphanumeric strings (potential secrets)
grep -rniE "['\"][a-zA-Z0-9+/=]{32,}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```
---
## Insecure Random Number Generation
### Detection Patterns
```bash
# JavaScript/TypeScript - Math.random (NOT cryptographically secure)
grep -rniE "Math\.random\(\)" --include="*.ts" --include="*.js"
# Python - random module (NOT cryptographically secure)
grep -rniE "import random|from random|random\.random|random\.randint" --include="*.py"
# Java - java.util.Random (NOT cryptographically secure)
grep -rniE "new Random\(\)|java\.util\.Random" --include="*.java"
# PHP - rand/mt_rand (NOT cryptographically secure)
grep -rniE "rand\(|mt_rand\(" --include="*.php"
# Go - math/rand (NOT cryptographically secure)
grep -rniE "math/rand|rand\.Intn|rand\.Int\(" --include="*.go"
```
### Secure Alternatives
| Language | Insecure | Secure |
|----------|----------|--------|
| Python | `random.random()` | `secrets.token_bytes()` |
| Java | `java.util.Random` | `java.security.SecureRandom` |
| Go | `math/rand` | `crypto/rand` |
| JavaScript | `Math.random()` | `crypto.randomBytes()` |
| PHP | `rand()`, `mt_rand()` | `random_bytes()`, `random_int()` |
---
## Insufficient Key Length
### Detection Patterns
```bash
# RSA key size (should be 2048+)
grep -rniE "RSA.*1024|keysize.*1024|KeyPairGenerator.*1024" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# AES key size (should be 256 for sensitive data)
grep -rniE "AES.*128|aes-128" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# HMAC key size
grep -rniE "hmac.*key.*['\"][a-zA-Z0-9]{1,15}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```
### Minimum Key Lengths
| Algorithm | Minimum | Recommended |
|-----------|---------|-------------|
| RSA | 2048 bits | 4096 bits |
| AES | 128 bits | 256 bits |
| ECDSA | 256 bits | 384 bits |
| HMAC | 256 bits | 512 bits |
---
## Predictable IVs/Nonces
### Detection Patterns
```bash
# Static/zero IV
grep -rniE "iv\s*=\s*['\"]0{16,}['\"]|iv\s*=\s*bytes\(16\)|iv.*\[0,0,0" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Reused nonce
grep -rniE "nonce\s*=\s*['\"]|static.*nonce|const.*nonce" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```
---
## Missing Encryption
### Detection Patterns
```bash
# Plaintext password storage
grep -rniE "password\s*=\s*request|user\.password\s*=\s*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# HTTP instead of HTTPS
grep -rniE "http://[^localhost]|http://[^127\.0\.0\.1]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Unencrypted database connection
grep -rniE "sslmode=disable|useSSL=false|ssl=false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env"
```
---
## Broken Certificate Validation
### Detection Patterns
```bash
# Go - Skip TLS verification
grep -rniE "InsecureSkipVerify\s*:\s*true" --include="*.go"
# Python - Disable SSL verification
grep -rniE "verify\s*=\s*False|CERT_NONE" --include="*.py"
# Java - Trust all certificates
grep -rniE "TrustAllCerts|X509TrustManager|checkServerTrusted.*return" --include="*.java"
# Node.js - Reject unauthorized false
grep -rniE "rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED" --include="*.ts" --include="*.js"
# PHP - Disable SSL verification
grep -rniE "CURLOPT_SSL_VERIFYPEER\s*=>\s*false|verify_peer.*false" --include="*.php"
```
---
## Secure Patterns
### Password Hashing
```python
# Python - Argon2 (recommended)
from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash(password)
```
```java
// Java - BCrypt
String hash = BCrypt.hashpw(password, BCrypt.gensalt(12));
```
```go
// Go - bcrypt
hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
```
### Encryption
```python
# Python - AES-GCM
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)
nonce = os.urandom(12) # Random nonce
ciphertext = aesgcm.encrypt(nonce, plaintext, None)
```
### Random Generation
```python
# Python - Secure random
import secrets
token = secrets.token_hex(32)
```
---
## Verification Checklist
- [ ] No MD5/SHA1 for password hashing
- [ ] No DES/RC4/ECB encryption
- [ ] No hardcoded secrets
- [ ] Cryptographically secure RNG used
- [ ] Key lengths meet minimums
- [ ] Random IVs/nonces
- [ ] TLS 1.2+ with valid certificates
- [ ] Secrets from environment/vault
---
## CWE References
| CWE | Name | Example |
|-----|------|---------|
| CWE-326 | Inadequate Encryption | RSA-1024 |
| CWE-327 | Broken Crypto | MD5, DES, RC4 |
| CWE-328 | Reversible Hash | MD5 for passwords |
| CWE-330 | Insufficient Randomness | Math.random for tokens |
| CWE-338 | Weak PRNG | rand() for crypto |
| CWE-798 | Hardcoded Credentials | API keys in code |