Cryptographic Security Validator

Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.

Best use case

Cryptographic Security Validator is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.

Teams using Cryptographic Security Validator should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-crypto-validator/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/cognitive-toolworks/main/skills/security-crypto-validator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-crypto-validator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Cryptographic Security Validator Compares

Feature / AgentCryptographic Security ValidatorStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

## Purpose & When-To-Use

**Trigger conditions:**
- Cryptographic implementation review before production deployment
- TLS/SSL configuration audit
- Certificate lifecycle management validation
- FIPS 140-2/3 compliance requirement
- Post-incident cryptographic security assessment

**Not for:**
- Cryptographic algorithm design (use research/academic resources)
- Quantum-resistant cryptography evaluation (requires specialized analysis)
- Application-level encryption implementation (use security-appsec-validator)
- Physical HSM security assessment (requires on-site evaluation)

---

## Pre-Checks

**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates

**Input validation:**
- `target_system` must be non-empty string
- `crypto_scope` must be one of: [tls, certificates, key-management, all]
- `compliance_standard` must be one of: [nist, fips, pci-dss, none]

**Source freshness:**
- NIST SP 800-52 Rev 2 - TLS Guidelines (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final
- NIST SP 800-175B - Key Management (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-175b/final
- FIPS 140-2/3 Standards (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/projects/cryptographic-module-validation-program

---

## Procedure

### Step 1: Critical Cryptographic Controls Check

**TLS Configuration:**
1. TLS 1.2 or higher enforced (TLS 1.0/1.1 disabled)
2. Strong cipher suites only (per NIST SP 800-52 Rev 2, accessed 2025-10-26T01:33:55-04:00)
   - Prohibited: RC4, DES, 3DES, MD5, SHA-1 for signatures
   - Required: AES-GCM, ChaCha20-Poly1305, ECDHE/DHE key exchange
3. Perfect Forward Secrecy (PFS) enabled
4. Secure renegotiation configured

**Certificate Management:**
1. Certificate validity (not expired, not self-signed for production)
2. Certificate chain completeness
3. Certificate revocation checking (OCSP or CRL)
4. Key strength (RSA ≥2048-bit, ECC ≥256-bit)
5. Certificate rotation process exists

**Key Management:**
1. Key rotation mechanism present (90-day max for high-security)
2. Keys stored in HSM or secure key management service
3. No hardcoded keys in code or configuration
4. Separate keys for encryption vs signing

### Step 2: Generate NIST-Aligned Remediation

For each finding, provide:
- NIST SP 800-52/175B control reference
- TLS/cipher configuration snippets (Apache, Nginx, IIS, etc.)
- Certificate management procedures

**Token budgets:**
- **T1:** ≤2k tokens (critical TLS/certificate findings)
- **T2:** ≤6k tokens (full cryptographic audit with NIST compliance)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)

---

## Decision Rules

**Ambiguity thresholds:**
- If TLS configuration unavailable → request server config files or scan results
- If certificate details missing → request certificate chain PEM files

**Abort conditions:**
- No target system specified → cannot proceed
- No TLS endpoints or certificates found → verify system has encrypted communications

**Severity classification:**
- Critical: Weak ciphers (RC4, DES), expired certificates (CVSS 9.0-10.0)
- High: TLS 1.0/1.1 enabled, missing PFS (CVSS 7.0-8.9)
- Medium: Certificate rotation gaps, weak key sizes (CVSS 4.0-6.9)
- Low: OCSP stapling missing, cipher ordering (CVSS 0.1-3.9)

---

## Output Contract

**Required fields:**
```json
{
  "target_system": "string",
  "crypto_scope": "tls|certificates|key-management|all",
  "compliance_standard": "nist|fips|pci-dss|none",
  "timestamp": "ISO-8601 with timezone",
  "findings": [
    {
      "id": "unique identifier",
      "category": "tls|certificate|key-management",
      "severity": "critical|high|medium|low",
      "cvss_score": 0.0,
      "title": "brief description",
      "description": "detailed finding",
      "nist_reference": "SP 800-52 Rev 2 section X.Y",
      "affected_endpoints": ["URLs or service names"],
      "remediation": "specific fix steps",
      "remediation_config": "configuration snippet"
    }
  ],
  "compliance_status": {
    "standard": "nist|fips|pci-dss",
    "controls_assessed": ["list"],
    "controls_passed": ["list"],
    "controls_failed": ["list"]
  },
  "summary": {
    "total_findings": 0,
    "critical_count": 0,
    "high_count": 0,
    "overall_risk": "critical|high|medium|low"
  }
}
```

---

## Examples

**Example: TLS Configuration Check**

```yaml
# Input
target_system: "api.example.com"
crypto_scope: "tls"
compliance_standard: "nist"

# Output (abbreviated)
{
  "target_system": "api.example.com",
  "findings": [
    {
      "id": "CRYPTO-001",
      "category": "tls",
      "severity": "high",
      "cvss_score": 7.4,
      "title": "TLS 1.1 enabled (deprecated protocol)",
      "nist_reference": "SP 800-52 Rev 2 Section 3.1",
      "remediation_config": "SSLProtocol -all +TLSv1.2 +TLSv1.3"
    }
  ],
  "summary": {"high_count": 1, "overall_risk": "high"}
}
```

---

## Quality Gates

**Token budgets:**
- T1 ≤2k tokens (critical TLS/certificate findings)
- T2 ≤6k tokens (full cryptographic audit with NIST compliance)

**Safety:**
- No private keys in examples or remediation
- No actual certificate details

**Auditability:**
- Findings cite NIST SP 800-52/175B references
- Cipher recommendations align with current NIST guidance

**Determinism:**
- Same TLS/certificate state + inputs = consistent findings

---

## Resources

**NIST Standards:**
- NIST SP 800-52 Rev 2 (TLS Guidelines): https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final (accessed 2025-10-26T01:33:55-04:00)
- NIST SP 800-175B (Key Management): https://csrc.nist.gov/publications/detail/sp/800-175b/final (accessed 2025-10-26T01:33:55-04:00)
- FIPS 140-2/3 Standards: https://csrc.nist.gov/projects/cryptographic-module-validation-program (accessed 2025-10-26T01:33:55-04:00)

**TLS Configuration Guides:**
- Mozilla SSL Configuration Generator: https://ssl-config.mozilla.org/ (accessed 2025-10-26T01:33:55-04:00)
- OWASP TLS Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html (accessed 2025-10-26T01:33:55-04:00)

**Certificate Management:**
- CA/Browser Forum Baseline Requirements: https://cabforum.org/baseline-requirements-documents/ (accessed 2025-10-26T01:33:55-04:00)

Related Skills

Service Level Objective Validator

5
from williamzujkowski/cognitive-toolworks

Validate SLO definitions against actual metrics, generate alerting rules, and design error budget policies with burn rate calculations.

Software Supply Chain Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate software supply chain security with SBOM generation, dependency scanning, provenance verification, and SLSA attestation.

Operating System Security Hardening Checker

5
from williamzujkowski/cognitive-toolworks

Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.

Network Security Architecture Validator

5
from williamzujkowski/cognitive-toolworks

Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.

IAM Security Reviewer

5
from williamzujkowski/cognitive-toolworks

Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.

Container Security Checker

5
from williamzujkowski/cognitive-toolworks

Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.

Cloud Security Posture Analyzer

5
from williamzujkowski/cognitive-toolworks

Evaluate cloud security posture across AWS, Azure, and GCP with storage exposure checks, IAM policy review, and encryption validation.

Security Assessment Orchestrator

5
from williamzujkowski/cognitive-toolworks

Comprehensive security assessment across application, cloud, container, IAM, network, OS, supply chain, and zero trust using NIST CSF 2.0.

Application Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.

UX Design System Validator

5
from williamzujkowski/cognitive-toolworks

Validate design systems for accessibility (WCAG), responsive design, and component consistency with design token analysis.

Frontend Accessibility Validator

5
from williamzujkowski/cognitive-toolworks

Validate WCAG 2.2 compliance (A/AA/AAA) with ARIA, color contrast, keyboard navigation, screen readers, and automated testing via axe-core/Pa11y.

OSCAL SSP Validator

5
from williamzujkowski/cognitive-toolworks

Validates OSCAL System Security Plan documents against schemas, profiles, and cross-reference requirements with tiered validation depth.