// Approved cryptographic algorithms, TLS enforcement, key management, and certificate handling per Hack23 Cryptographic Controls Policy
| name | cryptography |
| description | Approved cryptographic algorithms, TLS enforcement, key management, and certificate handling per Hack23 Cryptographic Controls Policy |
| license | Apache-2.0 |
This skill enforces cryptographic requirements as defined in the Hack23 ISMS Cryptographic Controls Policy. It ensures that all cryptographic operations use approved algorithms and follow best practices for key management.
Symmetric Encryption - MUST USE:
Asymmetric Encryption - MUST USE:
Hashing - MUST USE:
Password Hashing - MUST USE:
Message Authentication - MUST USE:
MUST NOT USE (Deprecated/Broken):
MUST:
TLS 1.2 Approved Cipher Suites (in order of preference):
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS 1.3 Approved Cipher Suites:
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
MUST NOT:
MUST:
Key Length Requirements:
MUST NOT:
MUST:
crypto.randomBytes(), crypto.randomInt()secrets module, os.urandom()SecureRandomwindow.crypto.getRandomValues()MUST NOT:
Math.random() for security purposesMUST:
MUST NOT:
MUST:
Certificate Validity:
MUST NOT:
MUST:
MUST NOT:
MUST:
MUST NOT:
const crypto = require('crypto');
// GOOD: AES-256-GCM encryption
function encrypt(plaintext, key) {
// Generate random IV (12 bytes for GCM)
const iv = crypto.randomBytes(12);
// Create cipher
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
// Encrypt
let ciphertext = cipher.update(plaintext, 'utf8', 'hex');
ciphertext += cipher.final('hex');
// Get authentication tag
const authTag = cipher.getAuthTag();
// Return IV + authTag + ciphertext
return {
iv: iv.toString('hex'),
authTag: authTag.toString('hex'),
ciphertext: ciphertext
};
}
function decrypt(encrypted, key) {
// Create decipher
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
key,
Buffer.from(encrypted.iv, 'hex')
);
// Set authentication tag
decipher.setAuthTag(Buffer.from(encrypted.authTag, 'hex'));
// Decrypt
let plaintext = decipher.update(encrypted.ciphertext, 'hex', 'utf8');
plaintext += decipher.final('utf8');
return plaintext;
}
// Generate secure key (store securely, don't hardcode!)
const key = crypto.randomBytes(32); // 256 bits
// Usage
const encrypted = encrypt('Sensitive data', key);
console.log('Encrypted:', encrypted);
const decrypted = decrypt(encrypted, key);
console.log('Decrypted:', decrypted);
// BAD: Using deprecated algorithm
function encryptBad(plaintext, key) {
// NEVER use DES!
const cipher = crypto.createCipheriv('des-ede3-cbc', key, iv);
return cipher.update(plaintext, 'utf8', 'hex') + cipher.final('hex');
}
const bcrypt = require('bcrypt');
// GOOD: bcrypt with appropriate cost factor
async function hashPassword(password) {
// Cost factor 12 = 2^12 iterations (minimum)
const saltRounds = 12;
const hash = await bcrypt.hash(password, saltRounds);
return hash;
}
async function verifyPassword(password, hash) {
return await bcrypt.compare(password, hash);
}
// Usage
const password = 'MySecurePassword123!';
const hash = await hashPassword(password);
console.log('Hash:', hash);
const isValid = await verifyPassword(password, hash);
console.log('Valid:', isValid);
// BAD: Using weak hashing
function hashPasswordBad(password) {
// NEVER use MD5 or SHA-1 for passwords!
return crypto.createHash('md5').update(password).digest('hex');
}
// BAD: Insufficient iterations
async function hashPasswordWeak(password) {
// Cost factor 4 is too weak!
return await bcrypt.hash(password, 4);
}
const crypto = require('crypto');
// GOOD: Cryptographically secure random
function generateToken(length = 32) {
return crypto.randomBytes(length).toString('hex');
}
function generateApiKey() {
return crypto.randomBytes(32).toString('base64');
}
function generateSecurePin(digits = 6) {
const max = Math.pow(10, digits);
return crypto.randomInt(0, max).toString().padStart(digits, '0');
}
// Usage
const sessionToken = generateToken();
const apiKey = generateApiKey();
const pin = generateSecurePin(6);
// BAD: Using Math.random() for security
function generateTokenBad() {
// NEVER use Math.random() for security!
return Math.random().toString(36).substring(2);
}
const https = require('https');
const fs = require('fs');
// GOOD: Secure TLS configuration
const options = {
key: fs.readFileSync('/path/to/private-key.pem'),
cert: fs.readFileSync('/path/to/certificate.pem'),
ca: fs.readFileSync('/path/to/ca-bundle.pem'),
// TLS 1.2 minimum
minVersion: 'TLSv1.2',
// Prefer TLS 1.3
maxVersion: 'TLSv1.3',
// Strong cipher suites only
ciphers: [
'TLS_AES_256_GCM_SHA384',
'TLS_AES_128_GCM_SHA256',
'TLS_CHACHA20_POLY1305_SHA256',
'ECDHE-RSA-AES256-GCM-SHA384',
'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES256-GCM-SHA384',
'ECDHE-ECDSA-AES128-GCM-SHA256'
].join(':'),
// Prefer server cipher order
honorCipherOrder: true,
// Enable Perfect Forward Secrecy
ecdhCurve: 'prime256v1:secp384r1:secp521r1',
// Require client certificate (if needed)
requestCert: false,
rejectUnauthorized: true
};
const server = https.createServer(options, (req, res) => {
// Set security headers
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.writeHead(200);
res.end('Secure connection');
});
server.listen(443);
// BAD: Weak TLS configuration
const optionsBad = {
key: fs.readFileSync('/path/to/private-key.pem'),
cert: fs.readFileSync('/path/to/certificate.pem'),
// NEVER allow TLS 1.0/1.1
minVersion: 'TLSv1.0', // TOO WEAK!
// Allowing weak ciphers
ciphers: 'ALL', // INSECURE!
// Not rejecting unauthorized
rejectUnauthorized: false // DANGEROUS!
};
const crypto = require('crypto');
// Derive encryption key from password
function deriveKey(password, salt, keyLength = 32) {
// Use PBKDF2 with SHA-256, 100,000 iterations minimum
return crypto.pbkdf2Sync(
password,
salt,
100000, // iterations (minimum)
keyLength,
'sha256'
);
}
// Usage
const password = 'UserPassword123!';
const salt = crypto.randomBytes(16); // Store salt with encrypted data
const key = deriveKey(password, salt, 32); // 256-bit key
console.log('Derived key:', key.toString('hex'));
// BAD: Weak key derivation
function deriveKeyWeak(password) {
// NEVER use simple hashing for key derivation!
return crypto.createHash('sha256').update(password).digest();
}
const crypto = require('crypto');
const fs = require('fs').promises;
async function encryptFile(inputPath, outputPath, key) {
// Read file
const plaintext = await fs.readFile(inputPath);
// Generate IV
const iv = crypto.randomBytes(12);
// Encrypt
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
const ciphertext = Buffer.concat([
cipher.update(plaintext),
cipher.final()
]);
// Get auth tag
const authTag = cipher.getAuthTag();
// Write IV + authTag + ciphertext
const encrypted = Buffer.concat([iv, authTag, ciphertext]);
await fs.writeFile(outputPath, encrypted);
}
async function decryptFile(inputPath, outputPath, key) {
// Read encrypted file
const encrypted = await fs.readFile(inputPath);
// Extract IV, auth tag, and ciphertext
const iv = encrypted.slice(0, 12);
const authTag = encrypted.slice(12, 28);
const ciphertext = encrypted.slice(28);
// Decrypt
const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
decipher.setAuthTag(authTag);
const plaintext = Buffer.concat([
decipher.update(ciphertext),
decipher.final()
]);
// Write decrypted file
await fs.writeFile(outputPath, plaintext);
}
// Usage
const key = crypto.randomBytes(32);
await encryptFile('sensitive.pdf', 'sensitive.pdf.enc', key);
await decryptFile('sensitive.pdf.enc', 'sensitive-decrypted.pdf', key);
const https = require('https');
const tls = require('tls');
// GOOD: Verify certificate
function makeSecureRequest(url) {
return new Promise((resolve, reject) => {
https.get(url, {
// Verify certificate chain
rejectUnauthorized: true,
// Check hostname
checkServerIdentity: (hostname, cert) => {
const err = tls.checkServerIdentity(hostname, cert);
if (err) {
return err;
}
// Additional checks
const now = new Date();
const notBefore = new Date(cert.valid_from);
const notAfter = new Date(cert.valid_to);
if (now < notBefore || now > notAfter) {
return new Error('Certificate not valid for current date');
}
return undefined;
}
}, (res) => {
let data = '';
res.on('data', chunk => data += chunk);
res.on('end', () => resolve(data));
}).on('error', reject);
});
}
// BAD: Skipping certificate verification
function makeInsecureRequest(url) {
return new Promise((resolve, reject) => {
https.get(url, {
// NEVER disable certificate verification!
rejectUnauthorized: false // DANGEROUS!
}, (res) => {
let data = '';
res.on('data', chunk => data += chunk);
res.on('end', () => resolve(data));
}).on('error', reject);
});
}
| Key Type | Rotation Frequency | Trigger for Immediate Rotation |
|---|---|---|
| TLS Certificates | Annually | Compromise, algorithm weakness |
| Symmetric Keys (RESTRICTED) | Quarterly | Compromise, employee departure |
| Symmetric Keys (CONFIDENTIAL) | Annually | Compromise |
| API Keys | Annually | Compromise, employee departure |
| SSH Keys | 2 years | Compromise |
| Root CA Keys | 10 years | Compromise |
| Database Encryption Keys | 2 years | Compromise |
Violations of cryptographic requirements:
GitHub Agentic Workflows (gh-aw) - markdown-based AI automation with 5-layer security, safe outputs, and Continuous AI patterns
gh-aw CLI usage, compilation, testing, debugging, add-wizard, and CI/CD practices for GitHub Agentic Workflows
Multi-agent coordination, orchestrator-worker patterns, /plan decomposition, and project coordination for GitHub Agentic Workflows
5-layer defense-in-depth security for GitHub Agentic Workflows - safe outputs, threat detection, AWF firewall, and zero-trust patterns
Continuous AI patterns from Agent Factory - issue triage, documentation sync, code quality, security scanning, and project coordination
GDPR compliance including privacy by design, data protection requirements, consent management, right to be forgotten, and data breach response