Files
Anthropic-Cybersecurity-Skills/skills/migrating-to-post-quantum-cryptography/references/api-reference.md
T
mukul975 8cae0648ec Add 55 new skills across 3 new domains + 6 undercovered areas (762 -> 817)
Demand-driven expansion targeting the fastest-growing 2025-2026 threat and
skills categories (ISC2/WEF/CrowdStrike/Mandiant signals):

- AI Security (NEW domain, 12 skills): LLM red-teaming with garak/PyRIT,
  prompt injection (direct/indirect/RAG), MCP tool-poisoning, agentic tool
  invocation, guardrails, model/data poisoning, system-prompt leakage,
  embedding/vector weaknesses, model extraction, continuous red-teaming
- Supply Chain Security (NEW domain, 5 skills): SBOMs, dependency confusion,
  malicious-npm triage, typosquatting, SLSA/Sigstore provenance
- Hardware & Firmware Security (NEW domain, 4 skills): CHIPSEC/UEFI audit,
  Secure Boot bypass, TPM measured-boot attestation, ESP bootkit hunting
- Identity (10): Entra ID/ROADtools, GraphRunner, AADInternals, ADCS/Certipy,
  shadow credentials, coercion, BloodHound CE, device-code phishing, SSO abuse
- Cloud-native (8): Stratus, Pacu, CloudFox, container escape, K8s RBAC,
  Falco, Trivy, kube-bench
- Offensive C2 (6): Sliver, Havoc, NetExec, DPAPI, NTLM relay ESC8, redirectors
- DFIR (6): Hayabusa, Chainsaw, KAPE, Velociraptor, EZ Tools, Plaso
- Backfill (4): OpenCTI, MISP, honeytokens, post-quantum crypto migration

Each skill follows the repo taxonomy (SKILL.md + references/{standards,api-reference}.md
+ scripts/agent.py + LICENSE), with researched real tool commands (no placeholders),
complete frontmatter, and ATT&CK/ATLAS + NIST CSF mappings. Updates README domain
table, skill count, and index.json.
2026-06-22 19:08:16 +02:00

76 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# OpenSSL PQC Command Reference
## Discovery
| Task | Command |
|------|---------|
| OpenSSL version (need 3.5+) | `openssl version` |
| List quantum-safe KEMs | `openssl list -kem-algorithms \| grep -i mlkem` |
| List quantum-safe signatures | `openssl list -signature-algorithms \| grep -Ei 'mldsa\|slhdsa'` |
| List TLS groups | `openssl list -tls-groups \| grep -i mlkem` |
| Inspect cert algorithm | `openssl x509 -in server.crt -noout -text \| grep -E 'Signature Algorithm\|Public Key'` |
## Key generation
| Task | Command (OpenSSL 3.5+) | oqs-provider (3.03.4) |
|------|------------------------|------------------------|
| ML-KEM-768 keypair | `openssl genpkey -algorithm ML-KEM-768 -out mlkem768.key` | `-algorithm mlkem768` |
| ML-DSA-65 keypair | `openssl genpkey -algorithm ML-DSA-65 -out mldsa65.key` | `-algorithm mldsa65` |
| Extract public key | `openssl pkey -in mldsa65.key -pubout -out mldsa65.pub` | same |
## Certificates
| Task | Command |
|------|---------|
| Self-signed ML-DSA cert | `openssl req -new -x509 -key mldsa65.key -out mldsa65.crt -days 365 -subj "/CN=pqc.example.com"` |
| Inspect signature alg | `openssl x509 -in mldsa65.crt -noout -text \| grep -A1 'Signature Algorithm'` |
## Sign / verify
| Task | Command |
|------|---------|
| Sign | `openssl dgst -sign mldsa65.key -out artifact.sig artifact.txt` |
| Verify | `openssl dgst -verify mldsa65.pub -signature artifact.sig artifact.txt` |
## Hybrid TLS key exchange
| Task | Command |
|------|---------|
| TLS server (hybrid group) | `openssl s_server -accept 4433 -www -tls1_3 -cert mldsa65.crt -key mldsa65.key -groups X25519MLKEM768` |
| TLS client (hybrid group) | `openssl s_client -connect localhost:4433 -tls1_3 -groups X25519MLKEM768` |
| Test public PQC endpoint | `openssl s_client -groups X25519MLKEM768 -tls1_3 -connect pq.cloudflareresearch.com:443` |
### Standardized hybrid TLS groups
| Group | Classical leg | PQC leg |
|-------|---------------|---------|
| X25519MLKEM768 | X25519 | ML-KEM-768 |
| SecP256r1MLKEM768 | NIST P-256 | ML-KEM-768 |
| SecP384r1MLKEM1024 | NIST P-384 | ML-KEM-1024 |
## NGINX hybrid config (OpenSSL 3.5+)
```nginx
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519MLKEM768:X25519:secp256r1; # hybrid first, classical fallback
```
## oqs-provider activation (openssl.cnf)
```ini
[provider_sect]
default = default_sect
oqsprovider = oqsprovider_sect
[default_sect]
activate = 1
[oqsprovider_sect]
activate = 1
```
## CBOM generation
| Tool | Command |
|------|---------|
| cbomkit-theia (dir) | `cbomkit-theia dir ./myapp --output cbom.json` |
| cdxgen (Java + crypto) | `cdxgen -t java --include-crypto -o cbom.json ./myapp` |