mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 04:35:18 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,76 @@
|
||||
# Standards and References - AES Encryption for Data at Rest
|
||||
|
||||
## Primary Standards
|
||||
|
||||
### NIST FIPS 197 - Advanced Encryption Standard (AES)
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/fips/197/final
|
||||
- **Description**: Defines the AES algorithm (Rijndael) with key sizes of 128, 192, and 256 bits
|
||||
- **Block size**: 128 bits (16 bytes)
|
||||
- **Key sizes**: 128, 192, or 256 bits
|
||||
- **Rounds**: 10 (128-bit), 12 (192-bit), 14 (256-bit)
|
||||
|
||||
### NIST SP 800-38D - Recommendation for Block Cipher Modes: GCM and GMAC
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-38d/final
|
||||
- **Description**: Specifies Galois/Counter Mode (GCM) for authenticated encryption
|
||||
- **IV length**: 96 bits recommended for GCM
|
||||
- **Tag length**: 128 bits recommended (minimum 96 bits)
|
||||
- **Max plaintext**: 2^39 - 256 bits per invocation
|
||||
|
||||
### NIST SP 800-132 - Recommendation for Password-Based Key Derivation
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-132/final
|
||||
- **Description**: Covers PBKDF2 for deriving cryptographic keys from passwords
|
||||
- **Minimum iterations**: 600,000 (OWASP 2024 recommendation for PBKDF2-SHA256)
|
||||
- **Salt length**: Minimum 128 bits (16 bytes)
|
||||
|
||||
### NIST SP 800-38A - Recommendation for Block Cipher Modes of Operation
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-38a/final
|
||||
- **Description**: Defines ECB, CBC, CFB, OFB, and CTR modes
|
||||
|
||||
### NIST SP 800-57 Part 1 Rev. 5 - Key Management
|
||||
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
|
||||
- **Description**: Recommendations for cryptographic key lengths and algorithms
|
||||
- **AES-256 security strength**: 256 bits
|
||||
- **Recommended until**: Beyond 2031
|
||||
|
||||
## RFC Standards
|
||||
|
||||
### RFC 5116 - An Interface and Algorithms for Authenticated Encryption
|
||||
- **URL**: https://www.rfc-editor.org/rfc/rfc5116
|
||||
- **Description**: Defines AEAD interface including AES-GCM
|
||||
|
||||
### RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
|
||||
- **URL**: https://www.rfc-editor.org/rfc/rfc5869
|
||||
- **Description**: Key derivation from existing key material (not passwords)
|
||||
|
||||
### RFC 9106 - Argon2 Memory-Hard Function
|
||||
- **URL**: https://www.rfc-editor.org/rfc/rfc9106
|
||||
- **Description**: Argon2 password hashing / key derivation specification
|
||||
- **Recommended variant**: Argon2id (hybrid of Argon2i and Argon2d)
|
||||
|
||||
## Compliance Frameworks
|
||||
|
||||
### PCI DSS v4.0 - Requirement 3
|
||||
- Encrypt stored cardholder data with strong cryptography
|
||||
- AES-256 meets the strong cryptography requirement
|
||||
- Key management procedures required
|
||||
|
||||
### HIPAA Security Rule - 45 CFR 164.312(a)(2)(iv)
|
||||
- Encryption of ePHI at rest is an addressable implementation specification
|
||||
- AES-256 is an acceptable encryption method
|
||||
|
||||
### GDPR Article 32 - Security of Processing
|
||||
- Encryption is listed as an appropriate technical measure
|
||||
- AES-256 satisfies encryption requirements for personal data protection
|
||||
|
||||
## Python Library References
|
||||
|
||||
### cryptography (pyca/cryptography)
|
||||
- **URL**: https://cryptography.io/en/latest/
|
||||
- **PyPI**: https://pypi.org/project/cryptography/
|
||||
- **AES-GCM**: `cryptography.hazmat.primitives.ciphers.aead.AESGCM`
|
||||
- **PBKDF2**: `cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`
|
||||
|
||||
### PyCryptodome
|
||||
- **URL**: https://pycryptodome.readthedocs.io/
|
||||
- **PyPI**: https://pypi.org/project/pycryptodome/
|
||||
- **AES-GCM**: `Crypto.Cipher.AES` with `MODE_GCM`
|
||||
@@ -0,0 +1,122 @@
|
||||
# Workflows - AES Encryption for Data at Rest
|
||||
|
||||
## Workflow 1: Single File Encryption
|
||||
|
||||
```
|
||||
[Input File] --> [Read File Bytes]
|
||||
|
|
||||
[Derive Key from Password]
|
||||
(PBKDF2 / Argon2id + random salt)
|
||||
|
|
||||
[Generate Random Nonce]
|
||||
(12 bytes from CSPRNG)
|
||||
|
|
||||
[AES-256-GCM Encrypt]
|
||||
(key + nonce + plaintext --> ciphertext + tag)
|
||||
|
|
||||
[Write Encrypted File]
|
||||
(salt || nonce || ciphertext || tag)
|
||||
```
|
||||
|
||||
## Workflow 2: Single File Decryption
|
||||
|
||||
```
|
||||
[Encrypted File] --> [Parse Header]
|
||||
(extract salt, nonce)
|
||||
|
|
||||
[Derive Key from Password]
|
||||
(same PBKDF2 / Argon2id params + extracted salt)
|
||||
|
|
||||
[AES-256-GCM Decrypt]
|
||||
(key + nonce + ciphertext + tag)
|
||||
|
|
||||
[Verify Authentication Tag]
|
||||
(reject if tag invalid)
|
||||
|
|
||||
[Write Decrypted File]
|
||||
```
|
||||
|
||||
## Workflow 3: Streaming Encryption for Large Files
|
||||
|
||||
```
|
||||
[Large Input File]
|
||||
|
|
||||
[Read in Chunks] (e.g., 64KB chunks)
|
||||
|
|
||||
[For Each Chunk]:
|
||||
- [Encrypt chunk with AES-256-CTR]
|
||||
- [Update HMAC with ciphertext chunk]
|
||||
- [Write encrypted chunk to output]
|
||||
|
|
||||
[Finalize HMAC]
|
||||
[Append HMAC tag to output]
|
||||
```
|
||||
|
||||
## Workflow 4: Directory Tree Encryption
|
||||
|
||||
```
|
||||
[Source Directory]
|
||||
|
|
||||
[Walk Directory Tree]
|
||||
|
|
||||
[For Each File]:
|
||||
- [Derive unique file key from master key + file path]
|
||||
- [Generate random nonce]
|
||||
- [AES-256-GCM encrypt file]
|
||||
- [Write encrypted file preserving directory structure]
|
||||
|
|
||||
[Create Manifest File]
|
||||
(maps original paths to encrypted paths with metadata)
|
||||
```
|
||||
|
||||
## Workflow 5: Key Derivation Pipeline
|
||||
|
||||
```
|
||||
[User Password]
|
||||
|
|
||||
[Generate Random Salt] (16 bytes)
|
||||
|
|
||||
[PBKDF2-SHA256]
|
||||
- iterations: 600,000+
|
||||
- dkLen: 32 bytes (256 bits)
|
||||
|
|
||||
[Derived Key (256-bit)]
|
||||
|
|
||||
[Optional: HKDF Expand]
|
||||
- Derive multiple subkeys from single derived key
|
||||
- info="encryption" --> encryption key
|
||||
- info="authentication" --> HMAC key
|
||||
```
|
||||
|
||||
## Workflow 6: Envelope Encryption Pattern
|
||||
|
||||
```
|
||||
[Master Key] (stored in HSM/KMS)
|
||||
|
|
||||
[Generate Random Data Encryption Key (DEK)]
|
||||
(32 bytes from CSPRNG)
|
||||
|
|
||||
[Encrypt DEK with Master Key] --> [Encrypted DEK]
|
||||
|
|
||||
[Encrypt Data with DEK] --> [Ciphertext]
|
||||
|
|
||||
[Store: Encrypted DEK + Ciphertext]
|
||||
[Securely Wipe DEK from Memory]
|
||||
```
|
||||
|
||||
## Error Handling Workflow
|
||||
|
||||
```
|
||||
[Decryption Attempt]
|
||||
|
|
||||
[Parse Header] --FAIL--> [Return: Corrupt/invalid file format]
|
||||
|
|
||||
[Derive Key] --FAIL--> [Return: KDF parameter error]
|
||||
|
|
||||
[Decrypt + Verify Tag]
|
||||
|
|
||||
[Tag Valid?]
|
||||
YES --> [Return plaintext]
|
||||
NO --> [Return: Authentication failed - data tampered]
|
||||
[DO NOT return partial plaintext]
|
||||
```
|
||||
Reference in New Issue
Block a user