Cryptography Security Check

Analyze PHP code for cryptographic vulnerabilities.

Detection Patterns

1. Weak Hashing Algorithms

// CRITICAL: Broken for passwords
$hash = md5($password);
$hash = sha1($password);
$hash = hash('sha256', $password);
$hash = crypt($password, '$1$salt$'); // MD5-based

// CRITICAL: No salt
$hash = hash('sha256', $password); // Rainbow table attack

// CORRECT:
$hash = password_hash($password, PASSWORD_ARGON2ID);
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);

2. Weak Encryption Algorithms

// CRITICAL: Deprecated algorithms
$encrypted = mcrypt_encrypt(MCRYPT_DES, $key, $data);
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data);

// CRITICAL: ECB mode
$encrypted = openssl_encrypt($data, 'aes-256-ecb', $key);

// VULNERABLE: RC4, Blowfish, 3DES
$encrypted = openssl_encrypt($data, 'des-ede3-cbc', $key);

// CORRECT:
$encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, 0, $iv, $tag);

3. Hardcoded Keys

// CRITICAL: Key in source code
$key = 'my-secret-key-12345';
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key);

// CRITICAL: IV hardcoded
$iv = '1234567890123456';

// CRITICAL: Key derived from password directly
$key = $password; // Should use key derivation function

4. Insecure Random Number Generation

// CRITICAL: Predictable random
$token = rand();
$token = mt_rand();
$token = uniqid();
$token = time();
$token = microtime();

// CRITICAL: Weak seed
srand(time());
mt_srand(getmypid());

// CORRECT:
$token = bin2hex(random_bytes(32));
$token = random_int(1, 1000000);

5. Poor Key Management

// CRITICAL: Key stored with encrypted data
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key, 0, $iv);
file_put_contents('data.enc', $encrypted . "\n" . $key);

// CRITICAL: Same key for all users
$key = GLOBAL_ENCRYPTION_KEY;
$encrypted = encrypt($userData, $key);

// CRITICAL: Key in database with encrypted data
$user->setEncryptionKey($key);
$user->setEncryptedData($encrypted);

6. Missing Integrity Protection

// VULNERABLE: Encryption without authentication
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key, 0, $iv);
// No MAC/tag - susceptible to bit-flipping

// CORRECT: Authenticated encryption
$encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, 0, $iv, $tag);
// Or use sodium_crypto_aead_*

7. IV/Nonce Issues

// CRITICAL: No IV
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key);

// CRITICAL: Reused IV
static $iv = null;
if (!$iv) $iv = random_bytes(16);
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key, 0, $iv);

// CRITICAL: IV from predictable source
$iv = str_pad($userId, 16, '0');

// CORRECT:
$iv = random_bytes(openssl_cipher_iv_length('aes-256-cbc'));

8. Deprecated Crypto Functions

// CRITICAL: mcrypt is deprecated (removed PHP 7.2+)
mcrypt_encrypt();
mcrypt_decrypt();
mcrypt_create_iv();

// CRITICAL: create_function (code injection + deprecated)
create_function('$a', 'return $a;');

9. Timing Attacks

// VULNERABLE: Non-constant-time comparison
if ($userToken === $storedToken) { }
if (strcmp($a, $b) === 0) { }

// CORRECT:
if (hash_equals($storedToken, $userToken)) { }

10. Certificate Validation

// CRITICAL: Disabled SSL verification
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

// CRITICAL: In stream context
$context = stream_context_create([
    'ssl' => ['verify_peer' => false]
]);

Grep Patterns

# Weak hashing
Grep: "md5\(|sha1\(|crypt\(" --glob "**/*.php"

# Weak encryption
Grep: "mcrypt_|MCRYPT_|des-|rc4|blowfish" -i --glob "**/*.php"

# Hardcoded keys
Grep: "(key|secret|password)\s*=\s*['\"][^'\"]{8,}['\"]" -i --glob "**/*.php"

# Weak random
Grep: "rand\(|mt_rand\(|uniqid\(" --glob "**/*.php"

# Disabled SSL
Grep: "SSL_VERIFYPEER.*false|verify_peer.*false" --glob "**/*.php"

# Non-constant-time comparison
Grep: "===.*token|\$token\s*===" --glob "**/*.php"

Severity Classification

Pattern	Severity
MD5/SHA1 for passwords	🔴 Critical
Hardcoded encryption keys	🔴 Critical
Disabled SSL verification	🔴 Critical
Predictable random	🔴 Critical
ECB mode encryption	🟠 Major
Missing integrity check	🟠 Major
Timing attack	🟠 Major
Reused IV	🟠 Major

Best Practices

Password Hashing

$hash = password_hash($password, PASSWORD_ARGON2ID, [
    'memory_cost' => 65536,
    'time_cost' => 4,
    'threads' => 3
]);

// Or bcrypt
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);

Encryption

// Use libsodium (built into PHP 7.2+)
$key = sodium_crypto_secretbox_keygen();
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = sodium_crypto_secretbox($data, $nonce, $key);

// Or OpenSSL with GCM
$iv = random_bytes(12);
$encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, 0, $iv, $tag);

Secure Random

$bytes = random_bytes(32);
$int = random_int(1, 100);

Key Derivation

$key = sodium_crypto_pwhash(
    32,
    $password,
    $salt,
    SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
    SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);

Output Format

### Cryptography Issue: [Description]

**Severity:** 🔴/🟠/🟡
**Location:** `file.php:line`
**CWE:** CWE-327 (Use of Broken Crypto Algorithm)

**Issue:**
[Description of the cryptographic weakness]

**Attack Vector:**
[How attacker exploits this]

**Code:**
```php
// Vulnerable code

Fix:

// Secure cryptography

check-crypto-usage

Cryptography Security Check

Detection Patterns

1. Weak Hashing Algorithms

2. Weak Encryption Algorithms

3. Hardcoded Keys

4. Insecure Random Number Generation

5. Poor Key Management

6. Missing Integrity Protection

7. IV/Nonce Issues

8. Deprecated Crypto Functions

9. Timing Attacks

10. Certificate Validation

Grep Patterns

Severity Classification

Best Practices

Password Hashing

Encryption

Secure Random

Key Derivation

Output Format

More from dykyi-roman/awesome-claude-code

psr-overview-knowledge

detect-code-smells

clean-arch-knowledge

ddd-knowledge

testing-knowledge

bug-root-cause-finder