Cryptographic Security Validator

name: "Cryptographic Security Validator"
slug: "security-crypto-validator"
description: "Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks."
capabilities:
- TLS 1.2+ enforcement validation
- Cipher suite strength analysis (no weak ciphers)
- Certificate validity and lifecycle management
- Key rotation mechanism verification
- FIPS 140-2/3 compliance checking
inputs:
- target_system: "System or application identifier (string, required)"
- crypto_scope: "tls | certificates | key-management | all (string, default: all)"
- compliance_standard: "nist | fips | pci-dss | none (string, default: nist)"
outputs:
- findings: "JSON array of cryptographic security findings with NIST references"
- compliance_status: "NIST/FIPS/PCI-DSS compliance status (if requested)"
- remediation_config: "TLS/cipher configuration snippets"
keywords:
- cryptography
- tls
- ssl
- certificates
- encryption
- key-management
- cipher-suites
- nist
- fips
version: "1.0.0"
owner: "cognitive-toolworks"
license: "MIT"
security: "Public; no secrets or PII; safe for open repositories"
links:
- https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final
- https://csrc.nist.gov/publications/detail/sp/800-175b/final
- https://csrc.nist.gov/projects/cryptographic-module-validation-program

Purpose & When-To-Use

Trigger conditions:
- Cryptographic implementation review before production deployment
- TLS/SSL configuration audit
- Certificate lifecycle management validation
- FIPS 140-2/3 compliance requirement
- Post-incident cryptographic security assessment

Not for:
- Cryptographic algorithm design (use research/academic resources)
- Quantum-resistant cryptography evaluation (requires specialized analysis)
- Application-level encryption implementation (use security-appsec-validator)
- Physical HSM security assessment (requires on-site evaluation)

Pre-Checks

Time normalization:
- Compute NOW_ET using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use NOW_ET for all citation access dates

Input validation:
- target_system must be non-empty string
- crypto_scope must be one of: [tls, certificates, key-management, all]
- compliance_standard must be one of: [nist, fips, pci-dss, none]

Source freshness:
- NIST SP 800-52 Rev 2 - TLS Guidelines (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final
- NIST SP 800-175B - Key Management (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-175b/final
- FIPS 140-2/3 Standards (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/projects/cryptographic-module-validation-program

Procedure

Step 1: Critical Cryptographic Controls Check

TLS Configuration:
1. TLS 1.2 or higher enforced (TLS 1.0/1.1 disabled)
2. Strong cipher suites only (per NIST SP 800-52 Rev 2, accessed 2025-10-26T01:33:55-04:00)
- Prohibited: RC4, DES, 3DES, MD5, SHA-1 for signatures
- Required: AES-GCM, ChaCha20-Poly1305, ECDHE/DHE key exchange
3. Perfect Forward Secrecy (PFS) enabled
4. Secure renegotiation configured

Certificate Management:
1. Certificate validity (not expired, not self-signed for production)
2. Certificate chain completeness
3. Certificate revocation checking (OCSP or CRL)
4. Key strength (RSA ≥2048-bit, ECC ≥256-bit)
5. Certificate rotation process exists

Key Management:
1. Key rotation mechanism present (90-day max for high-security)
2. Keys stored in HSM or secure key management service
3. No hardcoded keys in code or configuration
4. Separate keys for encryption vs signing

Step 2: Generate NIST-Aligned Remediation

For each finding, provide:
- NIST SP 800-52/175B control reference
- TLS/cipher configuration snippets (Apache, Nginx, IIS, etc.)
- Certificate management procedures

Token budgets:
- T1: ≤2k tokens (critical TLS/certificate findings)
- T2: ≤6k tokens (full cryptographic audit with NIST compliance)
- T3: Not applicable for this skill (use security-auditor agent for comprehensive assessments)

Decision Rules

Ambiguity thresholds:
- If TLS configuration unavailable → request server config files or scan results
- If certificate details missing → request certificate chain PEM files

Abort conditions:
- No target system specified → cannot proceed
- No TLS endpoints or certificates found → verify system has encrypted communications

Severity classification:
- Critical: Weak ciphers (RC4, DES), expired certificates (CVSS 9.0-10.0)
- High: TLS 1.0/1.1 enabled, missing PFS (CVSS 7.0-8.9)
- Medium: Certificate rotation gaps, weak key sizes (CVSS 4.0-6.9)
- Low: OCSP stapling missing, cipher ordering (CVSS 0.1-3.9)

Output Contract

Required fields:

{
  "target_system": "string",
  "crypto_scope": "tls|certificates|key-management|all",
  "compliance_standard": "nist|fips|pci-dss|none",
  "timestamp": "ISO-8601 with timezone",
  "findings": [
    {
      "id": "unique identifier",
      "category": "tls|certificate|key-management",
      "severity": "critical|high|medium|low",
      "cvss_score": 0.0,
      "title": "brief description",
      "description": "detailed finding",
      "nist_reference": "SP 800-52 Rev 2 section X.Y",
      "affected_endpoints": ["URLs or service names"],
      "remediation": "specific fix steps",
      "remediation_config": "configuration snippet"
    }
  ],
  "compliance_status": {
    "standard": "nist|fips|pci-dss",
    "controls_assessed": ["list"],
    "controls_passed": ["list"],
    "controls_failed": ["list"]
  },
  "summary": {
    "total_findings": 0,
    "critical_count": 0,
    "high_count": 0,
    "overall_risk": "critical|high|medium|low"
  }
}

Examples

Example: TLS Configuration Check

# Input
target_system: "api.example.com"
crypto_scope: "tls"
compliance_standard: "nist"

# Output (abbreviated)
{
  "target_system": "api.example.com",
  "findings": [
    {
      "id": "CRYPTO-001",
      "category": "tls",
      "severity": "high",
      "cvss_score": 7.4,
      "title": "TLS 1.1 enabled (deprecated protocol)",
      "nist_reference": "SP 800-52 Rev 2 Section 3.1",
      "remediation_config": "SSLProtocol -all +TLSv1.2 +TLSv1.3"
    }
  ],
  "summary": {"high_count": 1, "overall_risk": "high"}
}

Quality Gates

Token budgets:
- T1 ≤2k tokens (critical TLS/certificate findings)
- T2 ≤6k tokens (full cryptographic audit with NIST compliance)

Safety:
- No private keys in examples or remediation
- No actual certificate details

Auditability:
- Findings cite NIST SP 800-52/175B references
- Cipher recommendations align with current NIST guidance

Determinism:
- Same TLS/certificate state + inputs = consistent findings

Resources

NIST Standards:
- NIST SP 800-52 Rev 2 (TLS Guidelines): https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final (accessed 2025-10-26T01:33:55-04:00)
- NIST SP 800-175B (Key Management): https://csrc.nist.gov/publications/detail/sp/800-175b/final (accessed 2025-10-26T01:33:55-04:00)
- FIPS 140-2/3 Standards: https://csrc.nist.gov/projects/cryptographic-module-validation-program (accessed 2025-10-26T01:33:55-04:00)

TLS Configuration Guides:
- Mozilla SSL Configuration Generator: https://ssl-config.mozilla.org/ (accessed 2025-10-26T01:33:55-04:00)
- OWASP TLS Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html (accessed 2025-10-26T01:33:55-04:00)

Certificate Management:
- CA/Browser Forum Baseline Requirements: https://cabforum.org/baseline-requirements-documents/ (accessed 2025-10-26T01:33:55-04:00)