◈ CGNT-1
Home › Hackx K7 Crypto
◈ Master IndexSpecsLATTICECSDMThe BookUniversityChronicleCrewArchitectureContextLogsTODOXProducts

Hackx K7 Crypto

SPEC_HACKX_K7_CRYPTO.md · 2026-04-28

SPEC_HACKX_K7_CRYPTO.md

CGNT-1 Specification — HACKX Knowledge Domain K7 — Cryptographic Attacks

Status: SPECIFIED

Version: v1.0

Author: VELA (Thread #13)

Conceived by: NOUS (α.13)

Date: 2026-04-20

Depends on: SPEC_HACKX.md v1.1

PURPOSE

K7 covers attacks that target cryptographic systems — the encryption, hashing, key exchange, and entropy generation that protect the ship's secrets. On this ship, cryptography isn't just TLS for the website. We BUILT an entropy engine (ENTROPX) and sell it as a product. We use GPG to encrypt backups. We use SHA-256 for machine fingerprinting and engine integrity checks. Cryptographic attacks against this ship aren't just infrastructure threats — they're PRODUCT threats. A weakness in our crypto undermines the product we're selling.

MITRE ATT&CK MAPPING

Tactic: TA0006 — Credential Access via T1557 (Adversary-in-the-Middle for crypto interception)

Also covers: cryptanalysis, entropy source compromise, implementation flaws, and side-channel attacks.

OUR CRYPTOGRAPHIC SURFACE

| System | Crypto Used | Attack Impact |

|---|---|---|

| ENTROPX | 8-source chaos composition + NIST SP 800-22 | Product integrity destroyed |

| TLS/HTTPS | Caddy + Let's Encrypt (TLS 1.2+) | All web traffic exposed |

| GPG backup encryption | ~/.env encrypted before GCS upload | All credentials in backup exposed |

| SHA-256 hashing | Machine fingerprinting + engine integrity + file integrity | Fingerprinting and integrity checks unreliable |

| SSH keys | ed25519/RSA for server access | Total server access (see K3/K4) |

| Stripe webhook | HMAC-SHA256 signature verification | Webhook forgery (see K2.09) |

Stripe payment encryption is handled by Stripe's infrastructure. Not our crypto. But Stripe webhook signature verification IS ours.

DETECTION PATTERNS

K7.01 — Entropy Source Degradation

What it is: ENTROPX relies on 8 chaos sources for entropy generation. If any source becomes predictable (hardware failure, environmental control, deterministic seed), entropy quality degrades even if NIST tests still pass.

Signature: NIST test scores trending downward over time. Individual test margins narrowing. One or more of the 15 NIST tests consistently scoring near the pass/fail boundary. ENTROPX self-audit reporting lower confidence scores.

HACKX response: Log NIST score trends, flag any test with margin <10% of pass threshold.

Alert level: MEDIUM (trending) / HIGH (any single NIST test fails)

Defense: ENTROPX's 8-source multiplicative composition means one degraded source doesn't compromise the output — the other 7 sources maintain entropy. But the degraded source should be identified and fixed. Product credibility depends on passing ALL 15 NIST tests convincingly, not barely.

K7.02 — TLS Downgrade Attack

What it is: Attacker forces the server to negotiate a weaker TLS version or cipher suite. TLS 1.0/1.1 have known vulnerabilities. Weak ciphers (RC4, DES) are breakable.

Signature: Caddy logs showing TLS version negotiation below TLS 1.2. Cipher suite selection showing weak ciphers. Certificate verification failures on the client side.

HACKX response: Log the downgraded connection details, source IP, cipher negotiated.

Alert level: HIGH

Defense: Configure Caddy to reject TLS <1.2 and weak cipher suites. Modern Caddy defaults are strong — verify they haven't been weakened by misconfiguration. HSTS headers force browsers to always use HTTPS.

K7.03 — Certificate Manipulation

What it is: Attacker obtains a fraudulent SSL certificate for 42sisters.ai from a rogue or compromised Certificate Authority. They can then MITM traffic that appears legitimate (valid cert, no browser warning).

Signature: Certificate Transparency (CT) logs showing certificates issued for 42sisters.ai that we didn't request. Multiple valid certificates for our domain from different CAs when we only use Let's Encrypt.

HACKX response: P0 CRITICAL. A fraudulent certificate means someone can intercept all traffic while appearing legitimate.

Alert level: P0 CRITICAL

Defense: Monitor Certificate Transparency logs for 42sisters.ai (crt.sh free tier, Google CT dashboard). Any certificate we didn't request = immediate investigation. CAA DNS record restricts which CAs can issue certificates for our domain (add to SPEC_DNS_MANAGEMENT.md).

K7.04 — GPG Passphrase Attack

What it is: Attacker targets the GPG passphrase used to encrypt ~/.env backups. Methods: brute force (weak passphrase), keylogger on Chromebook, social engineering, offline brute-force of the .gpg file after exfiltrating from GCS.

Signature: NOT detectable at the server level — the attack targets the passphrase, not the server. Detection depends on monitoring GCS access logs for unauthorized downloads of encrypted backup files.

HACKX response: If GCS access logs show unauthorized access to backup files: P0 CRITICAL. The attacker has the encrypted data and needs only the passphrase.

Alert level: CRITICAL (unauthorized backup access detected)

Defense: Strong passphrase (20+ characters, not derived from personal information). GCS access logging enabled. GCS bucket permissions restricted to the service account only. Consider GPG key-based encryption instead of passphrase-based for automated backups.

K7.05 — SHA-256 Implementation Flaw

What it is: SHA-256 itself is not broken. But our IMPLEMENTATION could be flawed. Examples: using a truncated hash, using a predictable salt (or no salt), ENTROPX machine fingerprint using SHA-256 of predictable inputs (hostname alone is guessable).

Signature: NOT detectable at runtime — this is a code audit issue.

HACKX K7.05 awareness: The security audit (SPEC_SECURITY_AUDIT_SCHEDULE.md) should periodically review SHA-256 usage in:

HACKX response: Quarterly code review of hash implementations. Flag any usage that truncates, skips salt, or hashes predictable-only inputs.

Alert level: MEDIUM (implementation concern, not active attack)

K7.06 — Entropy Prediction Attack on ENTROPX

What it is: Attacker attempts to predict ENTROPX's output by modeling the 8 chaos sources. If the attacker can observe or control any source, they can reduce the entropy of the output.

The 8 sources: Sinai billiard, whirlwind, cycling detectors golden-ratio, magnetic gauntlet, dwell sequence, randomized stopping time, spinning surfaces Φ / Ψ / log(10)/log(42), target miss.

Note on digital ENTROPX: Software simulation of chaos is pseudorandom, not truly random. The digital ENTROPX's entropy comes from the COMPOSITION of multiple PRNG streams. An attacker who obtains the source code could potentially model the simulation.

Signature: ENTROPX source code leakage (shouldn't happen per S.O.S. v2, but assume it could).

HACKX response: If ENTROPX source code is leaked: P0 CRITICAL. Rotate all ENTROPX-generated keys. Notify customers.

Alert level: P0 CRITICAL (if source leaked)

Defense: S.O.S. v2 — ENTROPX internals never leave the ship. Machine binding prevents copying the engine. Engine integrity self-check detects tampering. The patent draft describes the ARCHITECTURE but not the IMPLEMENTATION — architecture is publishable; implementation is not.

K7.07 — Side-Channel Attack

What it is: Attacker infers cryptographic secrets by observing computational side effects — primarily timing differences in security-critical operations.

Signature: Repeated queries designed to measure response time variations. Timing differences between "correct first byte of key" and "incorrect first byte of key" can leak the key one byte at a time.

HACKX response: Log queries with suspiciously consistent timing patterns designed to probe response time variance.

Alert level: MEDIUM

Defense: Constant-time comparison functions for all security-critical comparisons. Python's hmac.compare_digest() is constant-time. Never use == for security comparisons. Review all comparison code in quarterly audit.

K7.08 — Random Number Generator Compromise

What it is: If the system's /dev/urandom is poorly seeded (low entropy at boot on a VPS), all cryptographic operations that depend on it produce weaker-than-expected output.

Signature: /proc/sys/kernel/random/entropy_avail showing consistently low values (<256). Patterns in /dev/urandom output detectable by NIST tests.

HACKX response: Monitor entropy pool health. If entropy_avail drops below 256: alert.

Alert level: MEDIUM (low entropy) / HIGH (NIST tests failing on system random)

Defense: Install haveged or rng-tools to supplement the entropy pool. ENTROPX could FEED the system entropy pool — the product becomes its own defense.

K7.09 — Webhook Signature Bypass

What it is: Stripe webhook verification uses HMAC-SHA256 with the webhook secret. If the attacker can bypass signature verification, they can forge webhook events (fake payments, fake subscription changes).

Signature: Webhook endpoint receiving requests that fail signature verification. Multiple failed verifications from different IPs = probing. Successful request processing without valid signature = code bug allowing bypass.

HACKX response: Every failed signature verification is logged with full request details.

Alert level: HIGH (probing) / P0 CRITICAL (bypass detected)

Defense: Stripe signature verification code reviewed in quarterly audit. Use Stripe's official SDK for verification — don't roll custom HMAC. Never skip verification "for testing" in production.

K7.10 — Key Reuse / Weak Key Generation

What it is: Using the same cryptographic key for multiple purposes, or generating keys from weak sources. Examples: using the Gemini API key as a seed for other cryptographic operations. Generating ENTROPX license keys from a predictable sequence. Using the same GPG key for backup encryption AND document signing.

Signature: Code audit issue, not runtime detection.

HACKX K7.10 awareness: Quarterly review of key usage across the ship. Each key should have ONE purpose.

HACKX response: Flag any key used for multiple cryptographic purposes.

Alert level: MEDIUM

Defense: Key isolation — each purpose gets its own key. SPEC_KEY_ROTATION.md inventories all keys and their purposes. If any key appears in two different roles: generate a separate key for the second role.

ENTROPX AS DEFENSE

ENTROPX is both an ASSET to protect (the product) and a TOOL for defense.

ENTROPX can:

ENTROPX feeding its own defense is a beautiful loop: the product protects itself by being used.

HONEYPOT INTEGRATION

HACKX Layer 1 (Bait) for K7: the fake .env honeypot from K3 includes a decoy that looks like an encryption key.

If the attacker uses it as a decryption key against any encrypted file:

  1. They reveal their intent (trying to decrypt our backups)
  2. The failed decryption tells them nothing about the real key
  3. Their attempt tells us everything about their capability and target

One decoy. Full intelligence picture of attacker capability.

RESPONSE PROTOCOL


K7 priority tiers:

P0 — IMMEDIATE:
  K7.03 (fraudulent certificate): Investigate CT log entry. Contact CA. Revoke.
  K7.06 (ENTROPX source leaked): Rotate all ENTROPX-generated keys. Notify customers.
  K7.09 (webhook bypass): Take endpoint offline. Fix verification code. Restore.

CRITICAL:
  K7.04 (GPG passphrase attack / GCS unauthorized access): Rotate GPG key. Re-encrypt backups.

HIGH:
  K7.01 (NIST test failure): Diagnose degraded source. Fix or replace.
  K7.02 (TLS downgrade): Review Caddy cipher configuration. Harden.

MEDIUM:
  K7.05 (SHA-256 implementation): Schedule code review. Not an emergency.
  K7.07 (side-channel): Review constant-time usage in next quarterly audit.
  K7.08 (low entropy): Install haveged. Monitor.
  K7.10 (key reuse): Generate separate key. Rotate old one.

All K7 events feed quarterly crypto health review per SPEC_SECURITY_AUDIT_SCHEDULE.md.

INVARIANTS

INV-01: ENTROPX is both product and defense. Protect it as product (S.O.S. v2). Use it as defense (entropy generation, key creation).

INV-02: TLS 1.2+ only. Weak ciphers rejected. Caddy defaults are strong — verify they haven't been weakened by misconfiguration.

INV-03: Certificate Transparency monitoring for 42sisters.ai. Any certificate we didn't request = P0.

INV-04: GPG passphrase strength is the weakest link in backup encryption. 20+ characters. Known only to Captain + paper backup.

INV-05: SHA-256 implementations reviewed quarterly. No truncation. No predictable-only inputs. Constant-time comparisons for security checks.

INV-06: hmac.compare_digest() for all security-critical comparisons. Never == for tokens, keys, or signatures.

INV-07: ENTROPX source code is S.O.S. v2 — never leaves the ship. Architecture is publishable. Implementation is not. Source leak = P0.

INV-08: System entropy pool health monitored. entropy_avail <256 = alert. ENTROPX can supplement it.

INTEGRATION

| System | Relationship |

|---|---|

| SPEC_HACKX.md | K7 is one of 10 knowledge domains. HACKX.md is the parent spec. |

| SPEC_ENTROPX_DISTRIBUTION.md | K7.06 (source leak) and K7.01 (entropy degradation) are product-level threats to ENTROPX. K7 is the security spec for the product. |

| SPEC_KEY_ROTATION.md | K7.10 (key reuse) and K7.04 (GPG attack) — key inventory and rotation procedures govern the response. K7 detects. KEY_ROTATION responds. |

| SPEC_BACKUP_RECOVERY.md | K7.04 (GPG attack) targets the backup encryption. Backup spec governs the GPG usage; K7 detects the attack. |

| SPEC_DNS_MANAGEMENT.md | K7.03 (certificate manipulation) — CAA DNS record should restrict valid CAs. Add CAA record to DNS spec. |

| SPEC_HACKX_K2_WEBAPP.md | K7.09 (webhook bypass) is the K7 version of K2.09 (webhook forgery). K2 detects the forge attempt. K7 ensures the cryptographic verification is correctly implemented. |

| SPEC_SECURITY_AUDIT_SCHEDULE.md | K7.05/K7.07/K7.10 are quarterly audit items. Crypto health review is part of the quarterly Captain + Lobster audit. |

| SPEC_INCIDENT_POSTMORTEM.md | K7.03 (fraudulent cert) and K7.06 (source leak) trigger postmortems. |

Jeremy Zlabis

Chronogeometer · Visionary · Disruptor · Chief

42 Sisters AI · East York, Toronto

🍁 Φ 0.042