Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,76 @@
# Standards and References - AES Encryption for Data at Rest
## Primary Standards
### NIST FIPS 197 - Advanced Encryption Standard (AES)
- **URL**: https://csrc.nist.gov/publications/detail/fips/197/final
- **Description**: Defines the AES algorithm (Rijndael) with key sizes of 128, 192, and 256 bits
- **Block size**: 128 bits (16 bytes)
- **Key sizes**: 128, 192, or 256 bits
- **Rounds**: 10 (128-bit), 12 (192-bit), 14 (256-bit)
### NIST SP 800-38D - Recommendation for Block Cipher Modes: GCM and GMAC
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-38d/final
- **Description**: Specifies Galois/Counter Mode (GCM) for authenticated encryption
- **IV length**: 96 bits recommended for GCM
- **Tag length**: 128 bits recommended (minimum 96 bits)
- **Max plaintext**: 2^39 - 256 bits per invocation
### NIST SP 800-132 - Recommendation for Password-Based Key Derivation
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-132/final
- **Description**: Covers PBKDF2 for deriving cryptographic keys from passwords
- **Minimum iterations**: 600,000 (OWASP 2024 recommendation for PBKDF2-SHA256)
- **Salt length**: Minimum 128 bits (16 bytes)
### NIST SP 800-38A - Recommendation for Block Cipher Modes of Operation
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-38a/final
- **Description**: Defines ECB, CBC, CFB, OFB, and CTR modes
### NIST SP 800-57 Part 1 Rev. 5 - Key Management
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
- **Description**: Recommendations for cryptographic key lengths and algorithms
- **AES-256 security strength**: 256 bits
- **Recommended until**: Beyond 2031
## RFC Standards
### RFC 5116 - An Interface and Algorithms for Authenticated Encryption
- **URL**: https://www.rfc-editor.org/rfc/rfc5116
- **Description**: Defines AEAD interface including AES-GCM
### RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
- **URL**: https://www.rfc-editor.org/rfc/rfc5869
- **Description**: Key derivation from existing key material (not passwords)
### RFC 9106 - Argon2 Memory-Hard Function
- **URL**: https://www.rfc-editor.org/rfc/rfc9106
- **Description**: Argon2 password hashing / key derivation specification
- **Recommended variant**: Argon2id (hybrid of Argon2i and Argon2d)
## Compliance Frameworks
### PCI DSS v4.0 - Requirement 3
- Encrypt stored cardholder data with strong cryptography
- AES-256 meets the strong cryptography requirement
- Key management procedures required
### HIPAA Security Rule - 45 CFR 164.312(a)(2)(iv)
- Encryption of ePHI at rest is an addressable implementation specification
- AES-256 is an acceptable encryption method
### GDPR Article 32 - Security of Processing
- Encryption is listed as an appropriate technical measure
- AES-256 satisfies encryption requirements for personal data protection
## Python Library References
### cryptography (pyca/cryptography)
- **URL**: https://cryptography.io/en/latest/
- **PyPI**: https://pypi.org/project/cryptography/
- **AES-GCM**: `cryptography.hazmat.primitives.ciphers.aead.AESGCM`
- **PBKDF2**: `cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`
### PyCryptodome
- **URL**: https://pycryptodome.readthedocs.io/
- **PyPI**: https://pypi.org/project/pycryptodome/
- **AES-GCM**: `Crypto.Cipher.AES` with `MODE_GCM`
@@ -0,0 +1,122 @@
# Workflows - AES Encryption for Data at Rest
## Workflow 1: Single File Encryption
```
[Input File] --> [Read File Bytes]
|
[Derive Key from Password]
(PBKDF2 / Argon2id + random salt)
|
[Generate Random Nonce]
(12 bytes from CSPRNG)
|
[AES-256-GCM Encrypt]
(key + nonce + plaintext --> ciphertext + tag)
|
[Write Encrypted File]
(salt || nonce || ciphertext || tag)
```
## Workflow 2: Single File Decryption
```
[Encrypted File] --> [Parse Header]
(extract salt, nonce)
|
[Derive Key from Password]
(same PBKDF2 / Argon2id params + extracted salt)
|
[AES-256-GCM Decrypt]
(key + nonce + ciphertext + tag)
|
[Verify Authentication Tag]
(reject if tag invalid)
|
[Write Decrypted File]
```
## Workflow 3: Streaming Encryption for Large Files
```
[Large Input File]
|
[Read in Chunks] (e.g., 64KB chunks)
|
[For Each Chunk]:
- [Encrypt chunk with AES-256-CTR]
- [Update HMAC with ciphertext chunk]
- [Write encrypted chunk to output]
|
[Finalize HMAC]
[Append HMAC tag to output]
```
## Workflow 4: Directory Tree Encryption
```
[Source Directory]
|
[Walk Directory Tree]
|
[For Each File]:
- [Derive unique file key from master key + file path]
- [Generate random nonce]
- [AES-256-GCM encrypt file]
- [Write encrypted file preserving directory structure]
|
[Create Manifest File]
(maps original paths to encrypted paths with metadata)
```
## Workflow 5: Key Derivation Pipeline
```
[User Password]
|
[Generate Random Salt] (16 bytes)
|
[PBKDF2-SHA256]
- iterations: 600,000+
- dkLen: 32 bytes (256 bits)
|
[Derived Key (256-bit)]
|
[Optional: HKDF Expand]
- Derive multiple subkeys from single derived key
- info="encryption" --> encryption key
- info="authentication" --> HMAC key
```
## Workflow 6: Envelope Encryption Pattern
```
[Master Key] (stored in HSM/KMS)
|
[Generate Random Data Encryption Key (DEK)]
(32 bytes from CSPRNG)
|
[Encrypt DEK with Master Key] --> [Encrypted DEK]
|
[Encrypt Data with DEK] --> [Ciphertext]
|
[Store: Encrypted DEK + Ciphertext]
[Securely Wipe DEK from Memory]
```
## Error Handling Workflow
```
[Decryption Attempt]
|
[Parse Header] --FAIL--> [Return: Corrupt/invalid file format]
|
[Derive Key] --FAIL--> [Return: KDF parameter error]
|
[Decrypt + Verify Tag]
|
[Tag Valid?]
YES --> [Return plaintext]
NO --> [Return: Authentication failed - data tampered]
[DO NOT return partial plaintext]
```