Files
T
mukul975 cb8d79e068 Map all 754 skills to MITRE ATT&CK v19.1
- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
  techniques), verified against MITRE ATT&CK v19.1 via the official
  mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
  threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
  Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
  Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
  family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
  stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
2026-06-01 12:13:29 +02:00

3.1 KiB

name, description, domain, subdomain, tags, version, author, license, nist_csf, mitre_attack
name description domain subdomain tags version author license nist_csf mitre_attack
implementing-end-to-end-encryption-for-messaging End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary (including the server) able to decrypt them. This skill implements a simplified version cybersecurity cryptography
cryptography
encryption
e2e
messaging
signal-protocol
1.0 mahipal Apache-2.0
PR.DS-01
PR.DS-02
PR.DS-10
T1600
T1573
T1553
T1486

Implementing End-to-End Encryption for Messaging

Overview

End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary (including the server) able to decrypt them. This skill implements a simplified version of the Signal Protocol's Double Ratchet algorithm, using X25519 for key exchange, HKDF for key derivation, and AES-256-GCM for message encryption.

When to Use

  • When deploying or configuring implementing end to end encryption for messaging capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Implement X25519 Diffie-Hellman key exchange for session establishment
  • Build the Double Ratchet key management algorithm
  • Encrypt and decrypt messages with per-message keys
  • Implement forward secrecy (compromise of current key does not reveal past messages)
  • Handle out-of-order message delivery
  • Implement key agreement using X3DH (Extended Triple Diffie-Hellman)

Key Concepts

Signal Protocol Components

Component Purpose Algorithm
X3DH Initial key agreement X25519
Double Ratchet Ongoing key management X25519 + HKDF + AES-GCM
Sending Chain Per-message encryption keys HMAC-SHA256 chain
Receiving Chain Per-message decryption keys HMAC-SHA256 chain
Root Chain Derives new chain keys on DH ratchet HKDF

Forward Secrecy

Each message uses a unique encryption key derived from a ratcheting chain. After a key is used, it is deleted, ensuring that compromise of the current state does not reveal previously sent/received messages.

Security Considerations

  • Delete message keys immediately after decryption
  • Implement message ordering and replay protection
  • Use authenticated encryption (AES-GCM) for all messages
  • Protect identity keys with device-level security
  • Verify identity keys out-of-band (safety numbers)

Validation Criteria

  • X25519 key exchange produces shared secret
  • Messages encrypt and decrypt correctly between two parties
  • Different messages produce different ciphertexts
  • Forward secrecy: old keys cannot decrypt new messages
  • Out-of-order messages can be decrypted
  • Tampered messages are rejected by authentication