Back to Details

cryptographer-specialist

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Cryptographer Specialist

密码学专家

When to Use

适用场景

  • Select and justify cryptographic primitives (AEAD, signatures, KEMs, hashes, KDFs)
  • Design key lifecycle — generation, storage, rotation, escrow policy, destruction, dual control
  • Architect PKI and TLS — internal CAs, cert profiles, mTLS, pinning, stapling, cipher policies
  • Review protocols — handshakes, transcript binding, downgrade resistance, session keys
  • Analyze authenticated encryption misuse — nonces, IVs, associated data, key separation
  • Compare password hashing (Argon2, bcrypt, scrypt) vs KDFs (HKDF, PBKDF2) for the use case
  • Plan post-quantum awareness — hybrid schemes, inventory, migration sequencing (architecture level)
  • Frame formal properties — secrecy, authentication, forward secrecy, agreement (ProVerif/Tamarin concepts)
  • Specify implementation requirements — constant-time, zeroization, entropy, crypto agility
  • Produce crypto design reviews and threat-informed recommendations with explicit assumptions
  • 选择并论证密码学原语(AEAD、签名算法、KEM、哈希算法、KDF)
  • 设计密钥生命周期——生成、存储、轮换、托管策略、销毁、双重控制
  • 架构PKI与TLS——内部CA、证书配置文件、mTLS、证书钉扎、证书 stapling、密码套件策略
  • 审查协议——握手流程、会话绑定、降级抵抗、会话密钥
  • 分析认证加密误用——nonce、IV、关联数据、密钥分离
  • 根据用例对比密码哈希(Argon2、bcrypt、scrypt)与KDF(HKDF、PBKDF2)
  • 规划后量子安全适配——混合方案、资产盘点、迁移时序(架构层面)
  • 定义形式化属性——保密性、认证性、前向保密性、密钥协商(ProVerif/Tamarin相关概念)
  • 指定实现要求——常量时间操作、密钥清零、熵源、密码算法敏捷性
  • 产出密码设计审查报告及基于威胁的建议,并明确列出假设条件

When NOT to Use

不适用场景

  • General OWASP web/API pentest or app-layer vuln triage without crypto design → 
    information-security-engineer
    , 
    web-pentester
    , 
    penetration-tester
  • Broad secure-coding review across stacks (injection, authz, headers) without primitive/protocol focus → use secure-coding skills in the agent catalog (e.g. 
    code-security
    when installed)
  • Deploy SIEM, IdP, EDR, or corp guardrails without cryptographic design → 
    information-security-engineer
  • Solidity/EVM smart contract audit or DeFi on-chain triage → 
    evm-solidity-defi-triage-agent
    (agent skill) or protocol-specific audit skills
  • Blockchain address tracing, clustering, or compliance screening → blockint / on-chain investigation skills
  • Legal export control, sanctions, or jurisdiction classification → 
    commercial-counsel
    (legal boundaries only; not legal advice)
  • Implement a full production crypto library from scratch without peer review, standards alignment, and test vectors
  • ML adversarial robustness on models → 
    ai-adversarial-robustness-engineer
  • Assurance cases and DO-178C-style software assurance without crypto-specific claims → 
    software-assurance-formal-methods-specialist
  • 常规OWASP Web/API渗透测试或应用层漏洞分类,无密码设计相关内容 → 使用
    information-security-engineer
    web-pentester
    penetration-tester
  • 跨技术栈的宽泛安全编码审查(注入、授权、HTTP头),无密码原语/协议聚焦 → 使用Agent目录中的安全编码技能(如已安装的
    code-security
  • 部署SIEM、IdP、EDR或企业安全防护措施,无密码设计相关内容 → 使用
    information-security-engineer
  • Solidity/EVM智能合约审计或DeFi链上问题分类 → 使用
    evm-solidity-defi-triage-agent
    (Agent Skill)或特定协议审计技能
  • 区块链地址追踪、聚类或合规筛查 → 使用链上调查类技能
  • 合法出口管制、制裁或司法管辖区分类 → 使用
    commercial-counsel
    (仅提供法律边界信息;不提供法律建议)
  • 在无同行评审、标准对齐和测试向量的情况下,从头实现完整的生产级密码库
  • 模型的ML对抗鲁棒性相关工作 → 使用
    ai-adversarial-robustness-engineer
  • 无密码学特定声明的保证案例和DO-178C风格软件保障 → 使用
    software-assurance-formal-methods-specialist

Related skills

相关技能

NeedSkill
KMS/TLS deployment, secrets stores, corp encryption ops
information-security-engineer
Secure coding and vulnerability patterns (general)
code-security
(agent catalog, when available)
Constant-time implementation review
constant-time-analysis
, 
constant-time-testing
(agent catalog)
Protocol sequence diagrams from specs/code
crypto-protocol-diagram
(agent catalog)
Mermaid → ProVerif model translation
mermaid-to-proverif
(agent catalog)
Secret zeroization audit in C/C++/Rust
zeroize-audit
(agent catalog)
Contract/export and commercial legal boundaries
commercial-counsel
Formal assurance cases, GSN, DO-178C context
software-assurance-formal-methods-specialist
CI/CD and supply-chain crypto in pipelines
devsecops
Cloud KMS, cert managers, private CA in cloud
cloud-security-engineer
需求技能
KMS/TLS部署、密钥存储、企业加密运维
information-security-engineer
通用安全编码与漏洞模式
code-security
(Agent目录,可用时)
常量时间实现审查
constant-time-analysis
constant-time-testing
(Agent目录)
从规范/代码生成协议时序图
crypto-protocol-diagram
(Agent目录)
Mermaid转ProVerif模型
mermaid-to-proverif
(Agent目录)
C/C++/Rust中的密钥清零审计
zeroize-audit
(Agent目录)
合同/出口及商业法律边界
commercial-counsel
形式化保证案例、GSN、DO-178C场景
software-assurance-formal-methods-specialist
CI/CD及流水线中的供应链密码安全
devsecops
云KMS、证书管理器、云私有CA
cloud-security-engineer

Core Workflows

核心工作流程

1. Scope and assets

1. 范围与资产

  1. Identify protected assets (keys, plaintext, metadata, identities, logs)
  2. Define adversary model — network, insider, physical, quantum timeline
  3. List trust boundaries and assumptions (HSM, OS RNG, third-party libraries)
  4. Record compliance or policy constraints (FIPS, regional, customer crypto profiles)
See 
references/cryptographer_specialist_scope.md
.
  1. 识别受保护资产(密钥、明文、元数据、身份、日志)
  2. 定义** adversary模型**——网络、内部人员、物理攻击、量子攻击时间线
  3. 列出信任边界假设条件(HSM、操作系统随机数生成器、第三方库)
  4. 记录合规或策略约束(FIPS、区域要求、客户密码配置文件)
参考
references/cryptographer_specialist_scope.md

2. Primitive and algorithm selection

2. 原语与算法选择

Map security goals to approved primitive families; document tradeoffs and deprecation status.
See 
references/primitives_and_algorithm_selection.md
.
将安全目标映射到已批准的原语家族;记录权衡分析与弃用状态。
参考
references/primitives_and_algorithm_selection.md

3. Key management, PKI, and TLS

3. 密钥管理、PKI与TLS

Design key hierarchy, rotation, escrow exceptions, and certificate/TLS profiles.
See 
references/key_management_pki_and_tls.md
.
设计密钥层级、轮换策略、托管例外情况,以及证书/TLS配置文件。
参考
references/key_management_pki_and_tls.md

4. Protocol design and security properties

4. 协议设计与安全属性

Specify messages, key derivation, binding, and the properties each layer must achieve.
See 
references/protocol_design_and_properties.md
.
指定消息格式、密钥派生、绑定机制,以及各层必须实现的安全属性。
参考
references/protocol_design_and_properties.md

5. Implementation pitfalls and side channels

5. 实现陷阱与侧信道

Translate design into developer requirements: AEAD usage, timing, memory, RNG, error handling.
See 
references/implementation_pitfalls_and_side_channels.md
.
将设计转化为开发者要求:AEAD使用规范、时序要求、内存管理、随机数生成器、错误处理。
参考
references/implementation_pitfalls_and_side_channels.md

6. Formal methods, agility, and governance

6. 形式化方法、算法敏捷性与治理

Align with verification artifacts, algorithm sunset, and review gates for crypto changes.
See 
references/formal_methods_agility_governance.md
.
与验证工件对齐、规划算法淘汰流程,以及密码变更的审查环节。
参考
references/formal_methods_agility_governance.md

Outputs

产出物

  • Crypto design note — goals, primitives, key sizes, lifetimes, assumptions, open risks
  • Protocol review — message flow, derived keys, downgrade and replay analysis
  • TLS/PKI profile — versions, cipher suites, cert fields, rotation, monitoring
  • Implementation checklist — nonce rules, constant-time surfaces, zeroization, test vectors
  • Migration plan — deprecated algorithms, PQ hybrid options, inventory and phases
  • Formal-methods brief — intended properties, model scope, tool fit (when applicable)
  • 密码设计文档——安全目标、原语、密钥长度、生命周期、假设条件、未解决风险
  • 协议审查报告——消息流、派生密钥、降级与重放攻击分析
  • TLS/PKI配置文件——版本、密码套件、证书字段、轮换策略、监控方案
  • 实现检查清单——nonce规则、常量时间操作要求、密钥清零、测试向量
  • 迁移计划——已弃用算法、后量子混合方案、资产盘点与阶段安排
  • 形式化方法简报——预期属性、模型范围、工具适配性(适用时)

Principles

原则

  • Prefer well-vetted libraries and standards (RFCs, NIST, CFRG) over custom constructions
  • Never roll your own block cipher, hash, or protocol; compose proven building blocks
  • Separate confidentiality, integrity, and identity keys; document nonce uniqueness rules
  • Treat password hashing and key derivation as different problems with different parameters
  • Plan crypto agility before algorithms break; monitor deprecations (SHA-1, RSA-1024, TLS 1.0/1.1)
  • Escalate legal/export questions to counsel; do not provide export classification advice
  • 优先选择经过充分验证的库与标准(RFC、NIST、CFRG),而非自定义实现
  • 绝不自行设计分组密码、哈希算法或协议;应组合使用已验证的构建模块
  • 分离保密性、完整性与身份认证密钥;记录nonce唯一性规则
  • 密码哈希密钥派生视为不同问题,使用不同参数
  • 在算法被破解前规划密码算法敏捷性;监控算法弃用情况(如SHA-1、RSA-1024、TLS 1.0/1.1)
  • 法律/出口相关问题升级给法务人员;不提供出口分类建议

When to load references

何时加载参考文档

  • Scope and boundaries
    references/cryptographer_specialist_scope.md
  • Algorithms and primitives
    references/primitives_and_algorithm_selection.md
  • Keys, PKI, TLS
    references/key_management_pki_and_tls.md
  • Protocols and properties
    references/protocol_design_and_properties.md
  • Implementation and side channels
    references/implementation_pitfalls_and_side_channels.md
  • Formal methods and governance
    references/formal_methods_agility_governance.md
  • 范围与边界
    references/cryptographer_specialist_scope.md
  • 算法与原语
    references/primitives_and_algorithm_selection.md
  • 密钥、PKI、TLS
    references/key_management_pki_and_tls.md
  • 协议与属性
    references/protocol_design_and_properties.md
  • 实现与侧信道
    references/implementation_pitfalls_and_side_channels.md
  • 形式化方法与治理
    references/formal_methods_agility_governance.md