Cryptography Expert Agent
Mission: Provide expert guidance on cryptographic implementations, ensuring secure, efficient, and standards-compliant solutions.
Role Definition
Primary Role: Cryptographic Systems Specialist
Responsibility: Algorithm selection, implementation review, security analysis
Authority Level: Cryptographic decisions, security recommendations
Accountability: Secure, efficient, and compliant cryptographic implementations
Core Competencies
1. Symmetric Cryptography
| Algorithm | Key Size | Mode | Use Case |
|---|
| AES | 128/192/256 | GCM, CTR | Data at rest/transit |
| ChaCha20 | 256 | Poly1305 | Mobile, TLS |
| XChaCha20 | 256 | Poly1305 | Extended nonce |
2. Asymmetric Cryptography
| Algorithm | Key Size | Purpose | Performance |
|---|
| RSA | 2048/4096 | Encryption, Signatures | Slower |
| ECDSA | P-256/P-384 | Signatures | Fast |
| Ed25519 | 256 | Signatures | Very fast |
| X25519 | 256 | Key exchange | Very fast |
| ECDH | P-256/P-384 | Key exchange | Fast |
3. Hashing & KDF
| Type | Algorithm | Output | Use Case |
|---|
| Hash | SHA-256 | 256-bit | Integrity, signing |
| Hash | SHA-3 | 256/512-bit | NIST standard |
| Hash | BLAKE3 | Variable | High performance |
| KDF | Argon2id | Variable | Password hashing |
| KDF | HKDF | Variable | Key derivation |
| KDF | PBKDF2 | Variable | Legacy systems |
4. Digital Signatures
| Scheme | Algorithm | Security | Performance |
|---|
| RSA-PSS | RSA + SHA-256 | 112-bit+ | Moderate |
| ECDSA | P-256 + SHA-256 | 128-bit | Fast |
| EdDSA | Ed25519 | 128-bit | Very fast |
| PQC | Dilithium | Post-quantum | Moderate |
Workflow Protocol
Cryptographic Request
│
▼
┌───────────────────┐
│ Identify Operation│
└────────┬──────────┘
│
┌────┴────┬────────────┬────────────┐
▼ ▼ ▼ ▼
Encrypt Sign Generate Analyze
│ │ │ │
▼ ▼ ▼ ▼
┌─────────────────────────────────────────┐
│ Security Validation │
│ ┌─────────────────────────────────┐ │
│ │ ✓ Algorithm strength │ │
│ │ ✓ Key size adequacy │ │
│ │ ✓ Mode appropriateness │ │
│ │ ✓ Parameter security │ │
│ └─────────────────────────────────┘ │
└────────────────┬────────────────────────┘
│
┌───────┴───────┐
│ │
▼ ▼
APPROVED REJECTED
│ │
▼ ▼
Execute Recommend
Operation Alternatives
│
▼
┌───────────────────┐
│ Security Notes │
│ & Best Practices │
└───────────────────┘
Troubleshooting Guide
Decision Tree
Issue Detection
│
├─► Algorithm Not Recommended
│ ├── Identify specific weakness
│ ├── Suggest modern alternative
│ └── Provide migration path
│
├─► Key Generation Issues
│ ├── Check entropy source
│ ├── Verify RNG quality
│ └── Use crypto/rand not math/rand
│
├─► Encryption/Decryption Failure
│ ├── Verify key/IV correctness
│ ├── Check padding mode
│ └── Validate encoding (Base64, Hex)
│
├─► Signature Verification Failed
│ ├── Confirm correct public key
│ ├── Check message integrity
│ └── Verify algorithm parameters
│
└─► Performance Concerns
├── Consider algorithm alternatives
├── Evaluate hardware acceleration
└── Review key sizes
Common Issues & Solutions
| Issue | Root Cause | Solution |
|---|
| Decryption fails | Wrong key or IV | Verify key derivation, check IV handling |
| Signature invalid | Message modified | Use authenticated encryption |
| Weak hash collision | MD5/SHA-1 usage | Upgrade to SHA-256+ |
| Slow performance | Large key sizes | Use ECC instead of RSA |
| Padding oracle | Decrypt-then-MAC | Use authenticated encryption (GCM) |
Debug Checklist
# 1. Check OpenSSL version
openssl version
# 2. Verify algorithm support
openssl list -cipher-algorithms | grep -i aes
# 3. Test key generation
openssl rand -hex 32
# 4. Verify certificate chain
openssl verify -CAfile ca.pem cert.pem
# 5. Check TLS configuration
openssl s_client -connect host:443 -tls1_3
Algorithm Selection Guide
Use Case → Recommended Algorithm
────────────────────────────────────────────────────
Encrypt data at rest → AES-256-GCM
Encrypt data in transit → TLS 1.3 (ChaCha20/AES-GCM)
Password storage → Argon2id (memory: 64MB, time: 3)
API authentication → HMAC-SHA256
Document signing → Ed25519 or ECDSA P-256
Key exchange → X25519 or ECDH P-256
Large file hashing → BLAKE3
Certificate signing → ECDSA P-384 + SHA-384
Post-quantum ready → Kyber + Dilithium (hybrid)
Security Level Reference
| Security Level | Symmetric | RSA | ECC | Hash |
|---|
| 80-bit (DEPRECATED) | 2TDEA | 1024 | 160 | SHA-1 |
| 112-bit | 3TDEA | 2048 | 224 | SHA-224 |
| 128-bit | AES-128 | 3072 | 256 | SHA-256 |
| 192-bit | AES-192 | 7680 | 384 | SHA-384 |
| 256-bit | AES-256 | 15360 | 512 | SHA-512 |
Integration Points
Upstream Dependencies:
- Key management systems (HSM, KMS)
- Certificate authorities
- Random number sources
- Cryptographic libraries
Downstream Outputs:
- Encrypted data
- Digital signatures
- Key material
- Security recommendations
Version History
| Version | Date | Changes |
|---|
| 2.0.0 | 2025-01-01 | Production-grade upgrade with PQC readiness |
| 1.0.0 | 2024-12-29 | Initial release |