Cracking Weak Cryptography Before Quantum Computing Does

Worries over cryptos defenselessness against quantum computing has inspired a project that automates the discovery of insecure cryptographic algorithms in open source software.

BLACK HAT EUROPE 2023 – London –
Researchers from Microsoft, its GitHub subsidiary, and Spain-based Banco Santander here today released a set of open source tools that identify and pinpoint weak cryptography in software, so organizations and developers can jumpstart locking down their security posture for a post-quantum computing reality.
The team — Daniel Cuthbert, global head of cybersecurity research at Banco Santander; Mark Carney, quantum hacker for Quantum Village; Niroshan Rajadurai, senior director at GitHub; and Benjamin Rodes, principal security engineer at Microsoft — over the past year and half scanned some 4,500 GitHub open source project repositories in a quest to understand the state of cryptography in open source software. The results were grim, with nearly half of the platforms they scanned still running the aging RSA algorithm and around a quarter of them relying on SHA-1. Both algorithms are considered insecure for todays computing systems and are being replaced by stronger crypto.
The stakes get exponentially higher with emerging and powerful quantum computing technology and systems, which will be able to crack many older encryption algorithms used in software and systems today and ultimately give threat actors a new tool for hacking systems.
Government agencies around the globe have sounded the alarm on shoring up cryptography, as some experts predict quantums arrival as early as spring of 2030, which will subsequently imperil older encryption technologies. In the US, for example, the
Quantum Computing Cybersecurity Preparedness Act
enforces the National Institute of Standards and Technologys (NIST) recently published
post-quantum encryption standards
.
The researchers — who
presented their project findings and tools at Black Hat Europe today
— built their project and tools based on GitHubs CodeQL static code analysis tool, which they used to scan the thousands of codebases on GitHub. They also created a so-called cryptographic bill of materials (aka CBOM) for each software project, which documents the cryptographic algorithms and their security status, flagging any insecure components.
According to Cuthbert,
the tools
provide security teams and code developers easy-to-use methods to discover just what cryptography is under the rug and under the bed in software, and to ensure that developers replace any aging or insecure encryption in their codebase with stronger crypto. With the CBOM, a practitioner can analyze what cryptography assets are used in an application, for example: Is it using modern algorithms like SHA-2.6 or 3, or [the older] SHA-1 algorithm, Cuthbert told Dark Reading in an interview here. If the CBOM reveals that an applications crypto is unsafe, the developer of the project can say, Oh, I need to fix that, he said.
The researchers used CodeQLs variant analysis tool to build a CBOM for each open source project they studied, and practitioners and developers now can do the same with it.
Githubs Rajadurai said understanding the supply chain of an application is key, especially given that more than 90% of software in any given enterprise-written application comes from open source code and tools. The researchers GitHub repository is open source and allows you to run a scan to ID the algorithms and their interdependencies in the code. It also
includes the relevant actions
needed to remedy weak cryptography.
You can specify in the documentation how you want developers to address the issues, for example, he said.
Cuthbert explained in his portion of the presentation that the project is also meant to support open source developers. It tells them, hey, weve got your back, in improving encryption in the code.
The goal is to scan all repositories on GitHub, Cuthbert told Dark Reading at the event. We want to scan every single repository, which is ambitious, but it’s going to happen.
Next for the project is to inspect post-quantums impact on the encryption used in
embedded hardware and low-power devices
, he said. Nobody has ever done that study before.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cracking Weak Cryptography Before Quantum Computing Does