What Is Weak Cryptography?

What Is Weak Cryptography?

Weak cryptography is the use of broken, outdated, or misconfigured cryptographic algorithms that fail to protect data, tokens, signatures, or agent secrets. It is an AI security risk in eval pipelines, generated-code review, production traces, and tool-calling systems because models and agents may create or execute unsafe crypto defaults. FutureAGI surfaces it through eval:WeakCryptoDetector, which flags weak algorithms such as MD5, SHA-1, DES, RC4, or unsafe modes before they ship.

Why weak cryptography matters in production LLM/agent systems

Weak cryptography turns a correct-looking AI feature into a security liability. A code agent may generate a password-reset flow that hashes tokens with MD5. A support automation tool may sign callback payloads with SHA-1. A workflow agent may copy an old encryption helper that uses DES or AES-ECB because it appeared in retrieved documentation. The application works in tests, but the protection objective is already lost.

Two failure modes show up often: token forgery and ciphertext recovery. Token forgery happens when an attacker can predict, collide, or replay a value that the system treats as proof of identity. Ciphertext recovery happens when obsolete ciphers, weak modes, or reused initialization vectors reveal patterns in supposedly private data.

The pain is split across teams. Developers see normal unit-test pass rates and no syntax errors. SREs see no obvious latency spike, but security findings rise in CI, generated-code review, or post-deploy scans. Compliance teams need evidence that regulated data was not protected with deprecated algorithms. End users feel the impact only after a breach, account takeover, or leaked transcript.

Agentic systems make the risk sharper in 2026-era pipelines. The same agent can read a ticket, generate code, call a deployment tool, and store a summary in memory. If a weak crypto helper enters that chain, it can be reused across many customers before a human review sees it.

How FutureAGI handles weak cryptography

FutureAGI maps this term to eval:WeakCryptoDetector. The inventory definition is narrow and concrete: WeakCryptoDetector detects use of weak cryptographic algorithms, including CWE-327 and CWE-328 patterns. For adjacent cases, WeakKeySizeDetector checks inadequate key sizes, while CryptographySecurityScore gives teams a cryptography-focused security signal across a run.

A real workflow starts with a code-writing agent instrumented through traceAI-langchain. The agent receives a task to add webhook verification. It retrieves an old internal snippet, emits Python using hashlib.sha1(secret + body), and sends the patch through a tool call. FutureAGI records the prompt version, model, generated code, tool.output, repository path, and agent.trajectory.step. Before the patch can move to review, the eval job runs WeakCryptoDetector against generated code and tool output.

FutureAGI’s approach is trace-attached security evaluation: a weak-crypto finding is tied back to the prompt, source document, model route, and agent step that produced it. Unlike a Semgrep-only scan that reports a file-level static finding, this gives the engineer the LLM context needed to fix the prompt, quarantine the retrieved snippet, or add a regression eval.

The next action should be mechanical. Block the release if WeakCryptoDetector finds a weak algorithm in authentication, payment, secrets, or regulated-data paths. Add the failing trace to a security dataset. Then rerun the same eval after changing the prompt, tool policy, or gateway pre-guardrail.

How to measure or detect weak cryptography

Measure weak cryptography as a security finding, not a model-quality opinion:

• WeakCryptoDetector — detects weak cryptographic algorithms such as deprecated hashes, ciphers, or unsafe cryptographic choices.
• WeakKeySizeDetector — detects inadequate encryption key sizes, which often appears beside weak algorithm selection.
• CryptographySecurityScore — summarizes cryptography-focused security findings for a dataset, run, or release gate.
• Trace evidence — inspect generated code, tool.output, repository path, prompt version, model route, and agent.trajectory.step.
• Dashboard signal — track weak-crypto-findings-per-run, eval-fail-rate-by-repository, findings-by-model, and time-to-remediate.

from fi.evals import WeakCryptoDetector

sample = "hashlib.md5(token.encode()).hexdigest()"
result = WeakCryptoDetector().evaluate(input=sample)
print(result)

For production gates, segment thresholds by risk area. A weak hash in a disposable cache key is not the same incident as a weak hash in password reset, payment signing, or customer-data encryption.

Common mistakes

Most weak-crypto misses come from treating security-sensitive code as ordinary generated text.

• Treating MD5 as harmless plumbing. Generated code can move a checksum pattern into tokens, signatures, or identity flows.
• Checking only application code. Agents can emit vulnerable snippets through tool calls, notebooks, migrations, and customer-specific templates.
• Ignoring key size and mode. Algorithm names alone miss RSA-1024, AES-ECB, reused IVs, and unsigned downgrade paths.
• Accepting passing tests as proof. Crypto regressions often preserve functional behavior while removing the protection margin.
• Storing only sanitized previews. Review needs raw generated code, tool output, model, prompt version, and source trace.

The shared pattern is scope. Weak cryptography rarely announces itself as a model failure; it appears as ordinary code with unsafe defaults.