<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<title>🔒 Cryptography Vulnerabilities in AI-Generated Code</title>
<style>
:root{
--bg:#f9fafc;
--card:#ffffff;
--accent:#2563eb;
--error:#ef4444;
--safe:#10b981;
--text:#333;
}
body{
margin:0;
font-family: "Poppins", system-ui, -apple-system, "Segoe UI", Roboto, "Helvetica Neue", Arial;
background: var(--bg);
color: var(--text);
line-height:1.5;
}
.crypto-guide{
max-width:1400px;
margin:0 auto;
padding:20px;
}
.crypto-guide .title{
font-size:2rem;
font-weight:800;
color:var(--accent);
margin-bottom:10px;
}
.crypto-guide .intro{
background:var(--card);
border-radius:12px;
padding:16px;
margin-bottom:20px;
box-shadow:0 4px 12px rgba(0,0,0,0.08);
font-size:1rem;
}
.crypto-guide .vulnerability{
background: var(--card);
border-radius:12px;
padding:14px;
margin-bottom:16px;
box-shadow: 0 4px 12px rgba(0,0,0,0.07);
transition: transform .18s ease, box-shadow .18s ease;
}
.crypto-guide .vulnerability:hover{
transform: translateY(-4px);
box-shadow: 0 10px 24px rgba(0,0,0,0.10);
}
.crypto-guide .vulnerability .subtitle{
margin:0 0 8px 0;
color:var(--accent);
font-size:1.4rem;
font-weight:800;
letter-spacing:0.2px;
}
.crypto-guide .description{
margin:0 0 6px 0;
font-size:1rem;
}
.crypto-guide .detection{
margin:6px 0 8px 0;
font-size:1.05rem; /* povećano */
color:#222;
font-style:italic;
}
.crypto-guide .detection strong{ font-weight:800; color:#111; }
.crypto-guide .example{
display:flex;
gap:14px;
flex-wrap:wrap;
margin-top:10px;
}
.crypto-guide .code,
.crypto-guide .solution{
flex:1;
min-width:320px;
padding:10px;
border-radius:8px;
font-size:0.95rem;
}
.crypto-guide .code{
background:#fff5f5;
border:1px solid var(--error);
}
.crypto-guide .solution{
background:#f0fff8;
border:1px solid var(--safe);
}
.crypto-guide .example-title{
margin:0 0 8px 0;
font-size:1.05rem;
font-weight:700;
}
.crypto-guide pre{
margin:0;
font-family:"Courier New", monospace;
font-size:0.9rem;
overflow-x:auto;
white-space:pre-wrap;
word-break:break-word;
}
.crypto-guide .services{
margin-top:12px;
font-size:0.92rem;
}
.crypto-guide .services span{
display:inline-block;
background:#eef2ff;
color:var(--accent);
padding:4px 8px;
border-radius:6px;
margin:4px 6px 0 0;
font-weight:600;
font-size:0.85rem;
}
.crypto-guide .links{
margin-top:8px;
font-size:1.05rem; /* povećano */
font-weight:600;
}
.crypto-guide .links a{
color:var(--accent);
text-decoration:none;
}
.crypto-guide .links a:hover{ text-decoration:underline; }
.crypto-guide .final-section{
background:var(--card);
border-radius:12px;
padding:18px;
margin-top:30px;
box-shadow:0 4px 12px rgba(0,0,0,0.1);
}
.crypto-guide .final-section h2{
color:var(--accent);
font-size:1.5rem;
margin-bottom:10px;
}
@media (max-width:760px){
.crypto-guide .example{ flex-direction:column; }
.crypto-guide .code, .crypto-guide .solution{ min-width:100%; }
}
</style>
</head>
<body>
<section class="crypto-guide">
<h1 class="title">🔒 Cryptography Vulnerabilities in AI-Generated Code</h1>
<div class="intro">
<p>
AI-generated code may introduce significant risks in the domain of cryptography if not carefully reviewed. Large Language Models (LLMs) are trained on vast datasets that often contain outdated, insecure, or misused cryptographic examples.
Because these models prioritize patterns over security, they tend to reproduce code that "looks correct" but is fundamentally unsafe.
</p>
<p>
Below we analyze the most frequent cryptographic flaws that LLMs generate, why they happen, how they amplify risks, insecure vs. secure code samples, CWE references, and services that can help mitigate them.
</p>
</div>
<!-- Weak Algorithms -->
<div class="vulnerability">
<h2 class="subtitle">1. Use of Weak or Broken Algorithms</h2>
<p class="description">
LLMs frequently recommend broken algorithms such as MD5, SHA-1, or DES. This occurs because these algorithms dominate older tutorials and code samples in the training data.
By suggesting them, LLMs propagate obsolete practices, exposing systems to collisions, brute-force, and preimage attacks.
</p>
<div class="example">
<div class="code">
<h3 class="example-title">AI Insecure Example (Java):</h3>
<pre>
MessageDigest md = MessageDigest.getInstance("MD5");
byte[] hash = md.digest(password.getBytes());
</pre>
</div>
<div class="solution">
<h3 class="example-title">Safe Solution (Java):</h3>
<pre>
String hash = BCrypt.hashpw(password, BCrypt.gensalt());
</pre>
</div>
</div>
<p class="detection"><strong>Detection:</strong> SonarQube static analysis rules, expert Source Code Review.</p>
<div class="links">
Reference: <a href="https://cwe.mitre.org/data/definitions/327.html" target="_blank">CWE-327: Use of a Broken or Risky Cryptographic Algorithm</a>
</div>
<div class="services">
<strong>🔧 Services we offer:</strong>
<span>SonarQube Setup Assistance</span>
<span>Source Code Review</span>
</div>
</div>
<!-- Poor Randomness -->
<div class="vulnerability">
<h2 class="subtitle">2. Poor Randomness or Key Generation</h2>
<p class="description">
LLMs often suggest predictable random number generators like <code>Math.random()</code> or <code>Random()</code> with fixed seeds.
This happens because examples of "simple random" are more common than cryptographic-grade randomness in training datasets.
The result: AI-generated code produces predictable keys and tokens, making authentication and encryption trivial to break.
</p>
<div class="example">
<div class="code">
<h3 class="example-title">AI Insecure Example (Java):</h3>
<pre>
Random rand = new Random(1234);
byte[] key = new byte[16];
rand.nextBytes(key);
</pre>
</div>
<div class="solution">
<h3 class="example-title">Safe Solution (Java):</h3>
<pre>
SecureRandom sr = new SecureRandom();
byte[] key = new byte[16];
sr.nextBytes(key);
</pre>
</div>
</div>
<p class="detection"><strong>Detection:</strong> SonarQube randomness rules, Source Code Review.</p>
<div class="links">
Reference: <a href="https://cwe.mitre.org/data/definitions/338.html" target="_blank">CWE-338: Use of Cryptographically Weak PRNG</a>
</div>
<div class="services">
<strong>🔧 Services we offer:</strong>
<span>SonarQube Setup Assistance</span>
<span>Source Code Review</span>
</div>
</div>
<!-- Hardcoded Keys -->
<div class="vulnerability">
<h2 class="subtitle">3. Hard-Coded or Reused Cryptographic Keys</h2>
<p class="description">
Since many open-source snippets include hard-coded keys for simplicity, LLMs replicate this dangerous practice.
Developers copying such AI outputs risk embedding permanent secrets directly in their code, leading to catastrophic leaks when repositories are exposed.
</p>
<div class="example">
<div class="code">
<h3 class="example-title">AI Insecure Example (C#):</h3>
<pre>
string secretKey = "mySecretKey123";
Encrypt(data, secretKey);
</pre>
</div>
<div class="solution">
<h3 class="example-title">Safe Solution (C#):</h3>
<pre>
string secretKey = Environment.GetEnvironmentVariable("ENCRYPTION_KEY");
Encrypt(data, secretKey);
</pre>
</div>
</div>
<p class="detection"><strong>Detection:</strong> Repository scanning, Source Code Review, SCA tools.</p>
<div class="links">
Reference: <a href="https://cwe.mitre.org/data/definitions/798.html" target="_blank">CWE-798: Use of Hard-coded Credentials</a>
</div>
<div class="services">
<strong>🔧 Services we offer:</strong>
<span>Source Code Review</span>
<span>Software Composition Analysis</span>
</div>
</div>
<!-- Misuse of Crypto Libraries -->
<div class="vulnerability">
<h2 class="subtitle">4. Misuse of Cryptographic Libraries</h2>
<p class="description">
LLMs copy-paste patterns like AES in ECB mode or missing initialization vectors because those appear in legacy code online.
The AI cannot distinguish between secure and insecure usage, causing developers to implement crypto that is functionally correct but insecure in practice.
</p>
<div class="example">
<div class="code">
<h3 class="example-title">AI Insecure Example (Java):</h3>
<pre>
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
</pre>
</div>
<div class="solution">
<h3 class="example-title">Safe Solution (Java):</h3>
<pre>
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
</pre>
</div>
</div>
<p class="detection"><strong>Detection:</strong> Software Composition Analysis, Source Code Review.</p>
<div class="links">
Reference: <a href="https://cwe.mitre.org/data/definitions/329.html" target="_blank">CWE-329: Not Using a Random IV with CBC Mode</a>
</div>
<div class="services">
<strong>🔧 Services we offer:</strong>
<span>Source Code Review</span>
<span>Software Composition Analysis</span>
</div>
</div>
<!-- TLS / Certificate Validation -->
<div class="vulnerability">
<h2 class="subtitle">5. Disabled Certificate or TLS Validation</h2>
<p class="description">
Because test code examples online frequently disable SSL validation for convenience, LLMs reproduce this anti-pattern.
AI suggests "accept all certificates," which if deployed to production, allows trivial man-in-the-middle interception.
</p>
<div class="example">
<div class="code">
<h3 class="example-title">AI Insecure Example (Java):</h3>
<pre>
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public void checkClientTrusted(...) {}
public void checkServerTrusted(...) {}
public X509Certificate[] getAcceptedIssuers() { return null; }
}
};
</pre>
</div>
<div class="solution">
<h3 class="example-title">Safe Solution (Java):</h3>
<pre>
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, null, new SecureRandom());
</pre>
</div>
</div>
<p class="detection"><strong>Detection:</strong> Source Code Review, TLS security audits.</p>
<div class="links">
Reference: <a href="https://cwe.mitre.org/data/definitions/295.html" target="_blank">CWE-295: Improper Certificate Validation</a>
</div>
<div class="services">
<strong>🔧 Services we offer:</strong>
<span>Source Code Review</span>
</div>
</div>
<!-- Improper Padding -->
<div class="vulnerability">
<h2 class="subtitle">6. Improper Padding and Error Handling</h2>
<p class="description">
LLMs generate encryption code without secure padding or with improper error handling (e.g., exposing detailed crypto exceptions).
This can lead to padding oracle attacks, enabling attackers to decrypt data without knowing the key.
</p>
<div class="example">
<div class="code">
<h3 class="example-title">AI Insecure Example (Python):</h3>
<pre>
cipher = AES.new(key, AES.MODE_CBC)
plaintext = cipher.decrypt(ciphertext) # no padding check
</pre>
</div>
<div class="solution">
<h3 class="example-title">Safe Solution (Python):</h3>
<pre>
cipher = AES.new(key, AES.MODE_GCM, nonce=os.urandom(12))
plaintext = cipher.decrypt_and_verify(ciphertext, tag)
</pre>
</div>
</div>
<p class="detection"><strong>Detection:</strong> Source Code Review, SCA, cryptography-focused audits.</p>
<div class="links">
Reference: <a href="https://cwe.mitre.org/data/definitions/209.html" target="_blank">CWE-209: Information Exposure Through an Error Message</a>
</div>
<div class="services">
<strong>🔧 Services we offer:</strong>
<span>Software Composition Analysis</span>
<span>Source Code Review</span>
</div>
</div>
<!-- Insufficient Key Length -->
<div class="vulnerability">
<h2 class="subtitle">7. Insufficient Key Length</h2>
<p class="description">
Many training examples use short keys (e.g., 56-bit DES or 128-bit RSA) simply because they run faster in demonstrations.
LLMs replicate this unsafe practice, leading developers to unknowingly generate encryption that can be brute-forced with modern hardware.
</p>
<div class="example">
<div class="code">
<h3 class="example-title">AI Insecure Example (RSA):</h3>
<pre>
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(512); // insecure
</pre>
</div>
<div class="solution">
<h3 class="example-title">Safe Solution (RSA):</h3>
<pre>
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
kpg.initialize(2048); // secure
</pre>
</div>
</div>
<p class="detection"><strong>Detection:</strong> SonarQube static analysis, Source Code Review.</p>
<div class="links">
Reference: <a href="https://cwe.mitre.org/data/definitions/326.html" target="_blank">CWE-326: Inadequate Encryption Strength</a>
</div>
<div class="services">
<strong>🔧 Services we offer:</strong>
<span>SonarQube Setup Assistance</span>
<span>Source Code Review</span>
</div>
</div>
<!-- Final Section -->
<div class="final-section">
<h2>⚙️ How Our Services Can Help</h2>
<p>
We provide end-to-end assistance in securing AI-generated and manually written code:
</p>
<ul>
<li><strong>SonarQube Setup Assistance:</strong> Configuration of rules to detect weak crypto, hard-coded keys, and disabled TLS checks.</li>
<li><strong>Source Code Review:</strong> Expert cryptography engineers validate complex cases that automated tools miss.</li>
<li><strong>Software Composition Analysis:</strong> Detects insecure libraries, outdated dependencies, and licensing risks.</li>
<li><strong>Software Licence Analysis:</strong> Ensures open-source license compliance and reduces legal risks.</li>
</ul>
<p>
By combining automation (SonarQube, SCA) with expert reviews, we ensure that insecure AI-suggested cryptographic code never reaches production.
</p>
</div>
</section>
</body>
</html>
|