Security specialty

Cryptography

Browse every cataloged workflow for cryptography, with source context, tags, and security framework mappings intact.

Complete collection

Skills in this domain

16 skills

cybersecuritySkill

Configuring Certificate Authority with OpenSSL

A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA + Intermediate CA) using OpenSSL and the Python cryptography library, including CRL distribution, OCSP responder configuration, and certificate policy management.

Cryptography
certificate-authoritycryptographyopensslpki+1
ATT&CK, 4 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Configuring HSM for Key Storage

Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never leave the device boundary, providing the highest level of key protection. This skill covers configuring HSMs using the PKCS#11 standard interface, including key generation, signing, encryption, and key management using both physical HSMs and SoftHSM2 for development.

Cryptography
cryptographyhardware-securityhsmkey-management+1
ATT&CK, 3 mappingsNIST CSF, 3 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Configuring TLS 1.3 for Secure Communications

TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements over TLS 1.2 in both security and performance. It reduces handshake latency to 1-RTT (and 0-RTT for resumed sessions), removes obsolete cipher suites, and mandates perfect forward secrecy. This skill covers configuring TLS 1.3 on servers, validating configurations, and testing for common misconfigurations.

Cryptography
cryptographynetwork-securityssltls+1
ATT&CK, 5 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Implementing AES Encryption for Data at Rest

AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM mode for encrypting files and data stores at rest, including proper key derivation, IV/nonce management, and authenticated encryption.

Cryptography
aescryptographydata-at-restencryption+1
ATT&CK, 4 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Implementing Digital Signatures with Ed25519

Ed25519 is a high-performance digital signature algorithm using the Edwards curve Curve25519. It provides 128-bit security with 64-byte signatures and 32-byte keys, offering significant advantages over RSA and ECDSA including deterministic signatures (no random nonce needed), resistance to side-channel attacks, and fast verification. This skill covers implementing Ed25519 for document signing, code signing, and API authentication.

Cryptography
authenticationcryptographydigital-signaturesed25519+1
ATT&CK, 3 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Implementing End-to-End Encryption for Messaging

End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary (including the server) able to decrypt them. This skill implements a simplified version of the Signal Protocol's Double Ratchet algorithm, using X25519 for key exchange, HKDF for key derivation, and AES-256-GCM for message encryption.

Cryptography
cryptographye2eencryptionmessaging+1
ATT&CK, 4 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Implementing Envelope Encryption with AWS KMS

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.

Cryptography
awscryptographyencryptionenvelope-encryption+2
ATT&CK, 5 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Implementing JWT Signing and Verification

JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256, RSA-PSS, and EdDSA algorithms, along with verification, token expiration, claims validation, and defense against common JWT attacks (algorithm confusion, none algorithm, key injection).

Cryptography
authenticationcryptographydigital-signaturesjwt+1
ATT&CK, 3 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Implementing RSA Key Pair Management

RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric cryptographic algorithm, used for digital signatures, key exchange, and encryption. This skill covers generating, storing, rotating, and managing RSA key pairs following NIST SP 800-57 key management guidelines, including key serialization formats (PEM, DER, PKCS#8), passphrase protection, and key strength validation.

Cryptography
asymmetric-encryptioncryptographykey-managementpki+1
ATT&CK, 4 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Implementing Zero-Knowledge Proof for Authentication

Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identification protocol and a simplified ZKPP (Zero-Knowledge Password Proof) using the discrete logarithm problem, enabling authentication where the server never learns the user's password.

Cryptography
authenticationcryptographyprivacyzero-knowledge-proof+1
ATT&CK, 3 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Migrating to Post-Quantum Cryptography

Inventory cryptography, deploy hybrid X25519 and ML-KEM, and prioritize harvest-now-decrypt-later data.

Cryptography
cbomcrypto-agilitycryptographyml-dsa+4
ATT&CK, 3 mappingsNIST CSF, 1 mapping
cybersecuritySkill

Performing Cryptographic Audit of Application

A cryptographic audit systematically reviews an application's use of cryptographic primitives, protocols, and key management to identify vulnerabilities such as weak algorithms, insecure modes, hardcoded keys, insufficient entropy, and protocol misconfigurations. This skill covers building an automated crypto audit tool that scans Python and configuration files for common cryptographic weaknesses.

Cryptography
auditcompliancecryptographysecurity-review+1
ATT&CK, 3 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Performing Hardware Security Module Integration

Integrate Hardware Security Modules (HSMs) using PKCS#11 interface for cryptographic key management, signing operations, and secure key storage with python-pkcs11, AWS CloudHSM, and YubiHSM2.

Cryptography
cloudhsmcryptographic-operationshardware-securityhsm+3
ATT&CK, 5 mappingsNIST CSF, 3 mappingsATLAS, 3 mappingsAI RMF, 3 mappings
cybersecuritySkill

Performing Hash Cracking with Hashcat

Hash cracking is an essential skill for penetration testers and security auditors to evaluate password strength. Hashcat is the world's fastest password recovery tool, supporting over 300 hash types with GPU acceleration. This skill covers using hashcat for authorized password auditing, understanding attack modes, creating effective rule sets, and generating hash analysis reports. This is strictly for authorized penetration testing and password policy assessment.

Cryptography
cryptographyhash-crackinghashcatpassword-security+1
ATT&CK, 3 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Performing Post-Quantum Cryptography Migration

Assesses organizational readiness for post-quantum cryptography migration per NIST FIPS 203/204/205 standards. Performs cryptographic inventory scanning to identify quantum-vulnerable algorithms (RSA, ECDH, ECDSA), evaluates hybrid TLS configurations with X25519MLKEM768, and validates CRYSTALS-Kyber (ML-KEM) and CRYSTALS-Dilithium (ML-DSA) readiness. Implements crypto-agility assessment using oqs-provider for OpenSSL. Use when planning or executing the transition from classical to post-quantum cryptographic algorithms across enterprise infrastructure.

Cryptography
crypto-agilitycrystals-kyberfips-203fips-204+5
ATT&CK, 7 mappingsNIST CSF, 3 mappings
cybersecuritySkill

Performing SSL Certificate Lifecycle Management

SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading cause of outages and security incidents. This skill covers automating the entire certificate lifecycle using Python and ACME protocol tools.

Cryptography
certificatescryptographykey-managementpki+2
ATT&CK, 4 mappingsNIST CSF, 3 mappings