Skill72 repo starsupdated 11d ago
Cryptographic Analysis & Assessment
SSL/TLS auditing, cipher suite analysis, hash algorithm identification, encryption implementation review, and cryptographic weakness detection in code
Install in Claude Code
Copygit clone --depth 1 https://github.com/Masriyan/Claude-Code-CyberSecurity-Skill /tmp/cryptographic-analysis-assessment && cp -r /tmp/cryptographic-analysis-assessment/skills/13-crypto-analysis ~/.claude/skills/cryptographic-analysis-assessmentThen start a new Claude Code session; the skill loads automatically.
Definition
SKILL.md
# Cryptographic Analysis & Assessment ## Purpose Enable Claude to assist with cryptographic security assessments including SSL/TLS configuration auditing, cipher suite analysis and recommendation, hash algorithm identification, encryption implementation code review, key management evaluation, and detection of cryptographic vulnerabilities. Claude directly analyzes provided configurations and code. --- ## Activation Triggers This skill activates when the user asks about: - Auditing SSL/TLS configuration of a server or service - Evaluating cipher suites for security strength - Identifying hash algorithms from hash values or code - Reviewing code for cryptographic implementation flaws - Assessing key lengths, key management, or rotation policies - Detecting hardcoded keys, weak IVs, or ECB mode usage - Generating TLS configuration recommendations (Mozilla profile) - Certificate analysis (expiration, chain, transparency) - Post-quantum cryptography guidance - Password hashing implementation review (bcrypt, Argon2, PBKDF2) --- ## Prerequisites ```bash pip install cryptography requests pyOpenSSL ``` **Recommended tools:** - `sslyze` — Python TLS scanner - `testssl.sh` — Comprehensive TLS testing - `openssl` — Command-line TLS operations - `Wireshark` — TLS traffic analysis - `certbot` — Certificate management --- ## Core Capabilities ### 1. SSL/TLS Configuration Auditing **When the user asks to audit TLS for a server or paste a TLS configuration:** **Command-line audit approach:** ```bash # Quick TLS check using openssl openssl s_client -connect example.com:443 -tls1_2 2>/dev/null | grep -E "Protocol|Cipher" openssl s_client -connect example.com:443 -tls1 2>/dev/null | grep -E "handshake|error" # Check certificate details openssl s_client -connect example.com:443 </dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer # Comprehensive scan with sslyze sslyze --regular example.com --json_out result.json # Or testssl.sh (most comprehensive) ./testssl.sh --severity HIGH --quiet example.com # Use the skill's script python scripts/tls_auditor.py --host example.com --port 443 --output report.json python scripts/tls_auditor.py --host mail.example.com --port 993 --grade ``` **TLS Version Support Ratings:** | Protocol | Status | Action | |----------|--------|--------| | SSLv2 | Critically broken | Block immediately | | SSLv3 | Broken (POODLE) | Block immediately | | TLS 1.0 | Deprecated (PCI-DSS violation) | Disable — BEAST, POODLE | | TLS 1.1 | Deprecated | Disable | | TLS 1.2 | Acceptable (with strong ciphers) | Keep with restrictions | | TLS 1.3 | Current standard | Enable and prefer | **TLS Vulnerability Checklist:** ``` [ ] Heartbleed (CVE-2014-0160): openssl s_client + heartbleed test [ ] POODLE: SSLv3 enabled? [ ] BEAST: TLS 1.0 + CBC cipher? [ ] ROBOT: RSA key exchange supported? [ ] DROWN: SSLv2 on any port of same server? [ ] Logjam/FREAK: DHE < 2048-bit or EXPORT ciphers? [ ] CRIME/BREACH: TLS compression enabled? [ ] Sweet32: 3DES (64-bit block cipher) supported? [ ] Weak certificate: RSA < 2048-bit, SHA-1 signed? [ ] Certificate validity: Not expired, chain complete, not self-signed for prod? [ ] HSTS: Strict-Transport-Security header present? [ ] CT: Certificate in public transparency logs? ``` ### 2. Cipher Suite Strength Evaluation **When the user asks about cipher suite security:** **TLS 1.3 Cipher Suites (All Secure — Use These):** | Cipher Suite | Key Exchange | Auth | Encryption | MAC | Rating | |-------------|-------------|------|------------|-----|--------| | TLS_AES_256_GCM_SHA384 | ECDHE | RSA/ECDSA | AES-256-GCM | SHA-384 | A+ | | TLS_CHACHA20_POLY1305_SHA256 | ECDHE | RSA/ECDSA | ChaCha20 | Poly1305 | A+ | | TLS_AES_128_GCM_SHA256 | ECDHE | RSA/ECDSA | AES-128-GCM | SHA-256 | A | **TLS 1.2 Cipher Suite Ratings:** | Cipher Suite | Rating | Notes | |-------------|--------|-------| | ECDHE-ECDSA-AES256-GCM-SHA384 | A+ | Perfect — AEAD, PFS | | ECDHE-RSA-AES256-GCM-SHA384 | A+ | Perfect — AEAD, PFS | | ECDHE-RSA-AES128-GCM-SHA256 | A | Good — AEAD, PFS | | DHE-RSA-AES256-GCM-SHA384 | A | Good — if DHE ≥ 2048-bit | | AES256-GCM-SHA384 | B | No forward secrecy | | ECDHE-RSA-AES256-SHA384 | B | CBC mode (timing attacks) | | RC4-SHA | F | RC4 broken — never use | | DES-CBC3-SHA | F | 3DES vulnerable (Sweet32) | | NULL-SHA | F | No encryption | | EXPORT-RC4-MD5 | F | FREAK vulnerable | **Recommended nginx TLS Configuration (Mozilla Modern Profile):** ```nginx ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; # TLS 1.3 ignores this; client order for TLS 1.2 # For TLS 1.2 compatibility ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; # DH parameters for DHE cipher suites ssl_dhparam /etc/nginx/dhparam.pem; # Generate: openssl dhparam -out dhparam.pem 4096 # Session management ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Disabling improves forward secrecy # HSTS add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 8.8.8.8 valid=300s; ``` **Generate DH parameters:** ```bash # 4096-bit DH parameters (do this once, takes a few minutes) openssl dhparam -out /etc/nginx/dhparam.pem 4096 ``` ### 3. Hash Algorithm Identification & Assessment **When the user provides a hash value or asks to identify hash algorithms:** **Hash Identification by Format:** | Hash Format / Length | Algorithm | Security Status | |----------------------|-----------|----------------| | 32 hex chars | MD5 | Broken — collision attacks exist | | 40 hex chars | SHA-1 | Deprecated — SHAttered collision | | 56 hex chars | SHA-224 | Acceptable (limited use) | | 64 hex chars | SHA-256 | Current standard | | 96 hex chars | SHA-384 |
More from this repository
Reconnaissance & OSINT AutomationSkill
Passive and active reconnaissance, subdomain enumeration, DNS analysis, technology fingerprinting, and OSINT data correlation for authorized security assessments
Vulnerability Scanning & AssessmentSkill
Dependency auditing, CVE detection, configuration security review, CVSS scoring, and prioritized vulnerability reporting
Exploit Development & Payload EngineeringSkill
Proof-of-concept development, payload crafting, shellcode analysis, and exploitation technique research for authorized security testing
Reverse Engineering & Binary AnalysisSkill
Binary analysis, assembly interpretation, disassembly, decompilation, firmware RE, and protocol reverse engineering
Malware Analysis & SandboxingSkill
Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification
Threat Hunting & IOC AnalysisSkill
IOC extraction, threat intelligence correlation, MITRE ATT&CK mapping, hunt hypothesis generation, and detection rule creation
Incident Response & Digital ForensicsSkill
IR playbook execution, evidence collection, forensic timeline analysis, memory forensics, and post-incident reporting following NIST SP 800-61 and SANS PICERL methodology
Network Security & Traffic AnalysisSkill
Network traffic analysis, PCAP parsing, IDS/IPS rule creation, firewall configuration auditing, and network anomaly detection