igbuend/selective-encrypted-transmission-pattern
skills/selective-encrypted-transmission-pattern/SKILL.md
Security pattern for encrypting specific data before transmission. Use when only certain data elements need encryption, implementing field-level encryption for transit, or when entities must actively manage encryption decisions. Addresses "Leak action request or data in transit" problem.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard selective-encrypted-transmission-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:20 PM17.8s1 file scanned
SKILL.md
- name:
- selective-encrypted-transmission-pattern
- description:
- Security pattern for encrypting specific data before transmission. Use when only certain data elements need encryption, implementing field-level encryption for transit, or when entities must actively manage encryption decisions. Addresses "Leak action request or data in transit" problem.
Selective Encrypted Transmission Security Pattern
Entities actively encrypt specific sensitive data elements before transmitting them over uncontrolled channels. Entities directly interact with cryptographic libraries to encrypt only necessary parts.
Problem Addressed
Leak action request or data in transit: Sensitive data exposed while being transmitted over a channel that may be observed by unauthorized parties.
Core Components
| Role | Type | Responsibility | |------|------|----------------| | Sender | Entity | Encrypts and transmits data | | Receiver | Entity | Receives and decrypts data | | CryptographerS | Cryptographic Primitive | Encryption library for Sender | | CryptographerR | Cryptographic Primitive | Decryption library for Receiver |
Data Elements
- d: Plaintext data element
- {d}_k: Ciphertext (d encrypted with key k)
- keyInfoS: Key information for encryption
- keyInfoR: Key information for decryption
- configS/configR: Cipher configuration
Pattern Flow
Sender → [encrypt(d, keyInfoS, configS)] → CryptographerS
CryptographerS → [{d}_k] → Sender
Sender → [{d}_k] → Receiver (over channel)
Receiver → [decrypt({d}_k, keyInfoR, configR)] → CryptographerR
CryptographerR → [d] → Receiver
- Sender decides which data to encrypt
- Sender requests encryption from CryptographerS
- CryptographerS returns ciphertext
- Sender transmits ciphertext
- Receiver receives ciphertext
- Receiver requests decryption from CryptographerR
- CryptographerR returns plaintext
Key Characteristics
Selective Encryption
- Entities choose WHAT to encrypt
- Not all data needs encryption
- Application-level decision making
Active Entity Participation
- Entities directly invoke cryptographic operations
- Entities manage when encryption occurs
- Different from channel-level encryption
Cipher Negotiation
Sender and Receiver must agree on:
- Encryption algorithm
- Configuration (mode, block size)
- Cryptographic key(s)
Negotiation Timing
| Stage | Approach | |-------|----------| | Design time | Hardcoded compatible algorithms | | Deployment | Configured shared keys/certificates | | Runtime | Dynamic negotiation protocol |
Critical: Use only standardized negotiation protocols from cryptographic libraries. Never implement custom negotiation.
Security Considerations
Use Existing Libraries
- Never implement custom cryptography
- Use well-known libraries (OpenSSL, libsodium, etc.)
- Follow library best practices
Key Management
- Protect key confidentiality
- Protect key integrity
- Secure key exchange/distribution
- See: Cryptographic key management pattern
Configuration Integrity
- Protect cipher configuration from tampering
- Attacker changing config could weaken encryption
- Protect during transmission and storage
Public Key Infrastructure
For asymmetric encryption:
- Sender encrypts with Receiver's public key
- Protect public key integrity
- Receiver's private key must remain secret
Symmetric Key Sharing
For symmetric encryption:
- Both parties need same secret key
- Secure distribution challenge
- Consider key exchange protocols
Encryption Algorithm Selection
Follow Encryption pattern recommendations:
- Symmetric: AES-256, AES-128 minimum
- Asymmetric: RSA-3072+ or ECDH-256+
- Authenticated encryption preferred
Comparison with Encrypted Tunnel
| Aspect | Selective Encryption | Encrypted Tunnel | |--------|---------------------|------------------| | Scope | Specific data elements | All communication | | Control | Application decides | Infrastructure manages | | Overhead | Lower (selective) | Higher (everything) | | Complexity | Application manages | Delegated to endpoints |
Use selective encryption when:
- Only some data is sensitive
- Different data needs different keys
- Application needs encryption control
Implementation Checklist
- [ ] Using established cryptographic library
- [ ] Strong algorithm selected (AES-256, RSA-3072+)
- [ ] Secure key management
- [ ] Configuration integrity protected
- [ ] Key exchange secured
- [ ] No custom cryptography implemented
- [ ] Sender/Receiver use compatible ciphers
- [ ] Public keys verified for authenticity
Related Patterns
- Encryption (underlying cryptographic operations)
- Encrypted tunnel (alternative: encrypt all traffic)
- Cryptographic key management (key handling)
- Selective encrypted storage (encryption at rest)
References
- Source: https://securitypatterns.distrinet-research.be/patterns/06_01_001__selective_encrypted_transmission/
- BSI TR-02102 Cryptographic Mechanisms
- NIST SP 800-175B Cryptographic Standards
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026