cybersecuritySkill
A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA + Intermediate CA) using OpenSSL and the Python cryptography library, including CRL distribution, OCSP responder configuration, and certificate policy management.
Cryptography
certificate-authoritycryptographyopensslpki+1
ATT&CK4, 4 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Hardware Security Modules (HSMs) are tamper-resistant physical devices that safeguard cryptographic keys and perform cryptographic operations in a hardened environment. Keys stored in an HSM never leave the device boundary, providing the highest level of key protection. This skill covers configuring HSMs using the PKCS#11 standard interface, including key generation, signing, encryption, and key management using both physical HSMs and SoftHSM2 for development.
Cryptography
cryptographyhardware-securityhsmkey-management+1
ATT&CK3, 3 mappingsNIST CSF3, 3 mappingsATLAS3, 3 mappingsAI RMF3, 3 mappings
cybersecuritySkill
TLS 1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, providing significant improvements over TLS 1.2 in both security and performance. It reduces handshake latency to 1-RTT (and 0-RTT for resumed sessions), removes obsolete cipher suites, and mandates perfect forward secrecy. This skill covers configuring TLS 1.3 on servers, validating configurations, and testing for common misconfigurations.
Cryptography
cryptographynetwork-securityssltls+1
ATT&CK5, 5 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM mode for encrypting files and data stores at rest, including proper key derivation, IV/nonce management, and authenticated encryption.
Cryptography
aescryptographydata-at-restencryption+1
ATT&CK4, 4 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Ed25519 is a high-performance digital signature algorithm using the Edwards curve Curve25519. It provides 128-bit security with 64-byte signatures and 32-byte keys, offering significant advantages over RSA and ECDSA including deterministic signatures (no random nonce needed), resistance to side-channel attacks, and fast verification. This skill covers implementing Ed25519 for document signing, code signing, and API authentication.
Cryptography
authenticationcryptographydigital-signaturesed25519+1
ATT&CK3, 3 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary (including the server) able to decrypt them. This skill implements a simplified version of the Signal Protocol's Double Ratchet algorithm, using X25519 for key exchange, HKDF for key derivation, and AES-256-GCM for message encryption.
Cryptography
cryptographye2eencryptionmessaging+1
ATT&CK4, 4 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This skill covers implementing envelope encryption using AWS KMS GenerateDataKey API.
Cryptography
awscryptographyencryptionenvelope-encryption+2
ATT&CK5, 5 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
JSON Web Tokens (JWT) defined in RFC 7519 are compact, URL-safe tokens used for authentication and authorization in web applications. This skill covers implementing secure JWT signing with HMAC-SHA256, RSA-PSS, and EdDSA algorithms, along with verification, token expiration, claims validation, and defense against common JWT attacks (algorithm confusion, none algorithm, key injection).
Cryptography
authenticationcryptographydigital-signaturesjwt+1
ATT&CK3, 3 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
RSA (Rivest-Shamir-Adleman) is the most widely deployed asymmetric cryptographic algorithm, used for digital signatures, key exchange, and encryption. This skill covers generating, storing, rotating, and managing RSA key pairs following NIST SP 800-57 key management guidelines, including key serialization formats (PEM, DER, PKCS#8), passphrase protection, and key strength validation.
Cryptography
asymmetric-encryptioncryptographykey-managementpki+1
ATT&CK4, 4 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identification protocol and a simplified ZKPP (Zero-Knowledge Password Proof) using the discrete logarithm problem, enabling authentication where the server never learns the user's password.
Cryptography
authenticationcryptographyprivacyzero-knowledge-proof+1
ATT&CK3, 3 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Inventory cryptography, deploy hybrid X25519 and ML-KEM, and prioritize harvest-now-decrypt-later data.
Cryptography
cbomcrypto-agilitycryptographyml-dsa+4
ATT&CK3, 3 mappingsNIST CSF1, 1 mapping
cybersecuritySkill
A cryptographic audit systematically reviews an application's use of cryptographic primitives, protocols, and key management to identify vulnerabilities such as weak algorithms, insecure modes, hardcoded keys, insufficient entropy, and protocol misconfigurations. This skill covers building an automated crypto audit tool that scans Python and configuration files for common cryptographic weaknesses.
Cryptography
auditcompliancecryptographysecurity-review+1
ATT&CK3, 3 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Integrate Hardware Security Modules (HSMs) using PKCS#11 interface for cryptographic key management, signing operations, and secure key storage with python-pkcs11, AWS CloudHSM, and YubiHSM2.
Cryptography
cloudhsmcryptographic-operationshardware-securityhsm+3
ATT&CK5, 5 mappingsNIST CSF3, 3 mappingsATLAS3, 3 mappingsAI RMF3, 3 mappings
cybersecuritySkill
Hash cracking is an essential skill for penetration testers and security auditors to evaluate password strength. Hashcat is the world's fastest password recovery tool, supporting over 300 hash types with GPU acceleration. This skill covers using hashcat for authorized password auditing, understanding attack modes, creating effective rule sets, and generating hash analysis reports. This is strictly for authorized penetration testing and password policy assessment.
Cryptography
cryptographyhash-crackinghashcatpassword-security+1
ATT&CK3, 3 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
Assesses organizational readiness for post-quantum cryptography migration per NIST FIPS 203/204/205 standards. Performs cryptographic inventory scanning to identify quantum-vulnerable algorithms (RSA, ECDH, ECDSA), evaluates hybrid TLS configurations with X25519MLKEM768, and validates CRYSTALS-Kyber (ML-KEM) and CRYSTALS-Dilithium (ML-DSA) readiness. Implements crypto-agility assessment using oqs-provider for OpenSSL. Use when planning or executing the transition from classical to post-quantum cryptographic algorithms across enterprise infrastructure.
Cryptography
crypto-agilitycrystals-kyberfips-203fips-204+5
ATT&CK7, 7 mappingsNIST CSF3, 3 mappings
cybersecuritySkill
SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading cause of outages and security incidents. This skill covers automating the entire certificate lifecycle using Python and ACME protocol tools.
Cryptography
certificatescryptographykey-managementpki+2
ATT&CK4, 4 mappingsNIST CSF3, 3 mappings