creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-aes-encryption-for-data-at-rest/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

3.9 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, nist_csf
name description domain subdomain tags version author license nist_csf
implementing-aes-encryption-for-data-at-rest AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM m cybersecurity cryptography
cryptography
encryption
aes
data-at-rest
symmetric-encryption
1.0 mahipal Apache-2.0
PR.DS-01
PR.DS-02
PR.DS-10

Implementing AES Encryption for Data at Rest

Overview

AES (Advanced Encryption Standard) is a symmetric block cipher standardized by NIST (FIPS 197) used to protect classified and sensitive data. This skill covers implementing AES-256 encryption in GCM mode for encrypting files and data stores at rest, including proper key derivation, IV/nonce management, and authenticated encryption.

When to Use

  • When deploying or configuring implementing aes encryption for data at rest capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Implement AES-256-GCM encryption and decryption for files
  • Derive encryption keys from passwords using PBKDF2 and Argon2
  • Manage initialization vectors (IVs) and nonces securely
  • Encrypt and decrypt entire directory trees
  • Implement authenticated encryption to detect tampering
  • Handle large files with streaming encryption

Key Concepts

AES Modes of Operation

Mode Authentication Parallelizable Use Case
GCM Yes (AEAD) Yes Network data, file encryption
CBC No Decrypt only Legacy systems, disk encryption
CTR No Yes Streaming encryption
CCM Yes (AEAD) No IoT, constrained environments

Key Derivation

Never use raw passwords as encryption keys. Always derive keys using:

  • PBKDF2: NIST-approved, widely supported (minimum 600,000 iterations as of 2024)
  • Argon2id: Winner of Password Hashing Competition, memory-hard
  • scrypt: Memory-hard, good alternative to Argon2

Nonce/IV Management

  • GCM requires a 96-bit (12-byte) nonce that must NEVER be reused with the same key
  • Generate nonces using os.urandom() (CSPRNG)
  • Store nonce alongside ciphertext (it is not secret)

Workflow

  1. Install the cryptography library: pip install cryptography
  2. Generate or derive an encryption key
  3. Create a random nonce for each encryption operation
  4. Encrypt data using AES-256-GCM with the key and nonce
  5. Store nonce + ciphertext + authentication tag together
  6. For decryption, extract nonce, verify tag, and decrypt

Encrypted File Format

[salt: 16 bytes][nonce: 12 bytes][ciphertext: variable][tag: 16 bytes]

Security Considerations

  • Always use authenticated encryption (GCM, CCM) to prevent tampering
  • Never reuse a nonce with the same key (catastrophic in GCM)
  • Use at least 256-bit keys for long-term data protection
  • Securely wipe keys from memory after use when possible
  • Rotate encryption keys periodically per organizational policy
  • For disk-level encryption, consider XTS mode (AES-XTS)

Validation Criteria

  • AES-256-GCM encryption produces valid ciphertext
  • Decryption recovers original plaintext exactly
  • Authentication tag detects any ciphertext modification
  • Key derivation uses sufficient iterations/parameters
  • Nonces are never reused for the same key
  • Large files (>1GB) can be processed via streaming
  • Encrypted file format includes all necessary metadata
Reference in New Issue View Git Blame Copy Permalink