pinkpixel-dev/implementing-end-to-end-encryption-for-messaging
SKILLS/implementing-end-to-end-encryption-for-messaging/SKILL.md
End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary (including the server) able to decrypt them. This skill implements a simplified version
$ install --global
skillsauthnpx skillsauth add pinkpixel-dev/skills-collection-2 implementing-end-to-end-encryption-for-messagingInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 4:32 AM151.4s7 files scanned
SKILL.md
- name:
- implementing-end-to-end-encryption-for-messaging
- description:
- End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary (including the server) able to decrypt them. This skill implements a simplified version
- domain:
- cybersecurity
- subdomain:
- cryptography
- tags:
- [cryptography, encryption, e2e, messaging, signal-protocol]
- version:
- 1.0
- author:
- mahipal
- license:
- Apache-2.0
Implementing End-to-End Encryption for Messaging
Overview
End-to-end encryption (E2EE) ensures that only the communicating parties can read messages, with no intermediary (including the server) able to decrypt them. This skill implements a simplified version of the Signal Protocol's Double Ratchet algorithm, using X25519 for key exchange, HKDF for key derivation, and AES-256-GCM for message encryption.
When to Use
- When deploying or configuring implementing end to end encryption for messaging capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- Familiarity with cryptography concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Objectives
- Implement X25519 Diffie-Hellman key exchange for session establishment
- Build the Double Ratchet key management algorithm
- Encrypt and decrypt messages with per-message keys
- Implement forward secrecy (compromise of current key does not reveal past messages)
- Handle out-of-order message delivery
- Implement key agreement using X3DH (Extended Triple Diffie-Hellman)
Key Concepts
Signal Protocol Components
| Component | Purpose | Algorithm | |-----------|---------|-----------| | X3DH | Initial key agreement | X25519 | | Double Ratchet | Ongoing key management | X25519 + HKDF + AES-GCM | | Sending Chain | Per-message encryption keys | HMAC-SHA256 chain | | Receiving Chain | Per-message decryption keys | HMAC-SHA256 chain | | Root Chain | Derives new chain keys on DH ratchet | HKDF |
Forward Secrecy
Each message uses a unique encryption key derived from a ratcheting chain. After a key is used, it is deleted, ensuring that compromise of the current state does not reveal previously sent/received messages.
Security Considerations
- Delete message keys immediately after decryption
- Implement message ordering and replay protection
- Use authenticated encryption (AES-GCM) for all messages
- Protect identity keys with device-level security
- Verify identity keys out-of-band (safety numbers)
Validation Criteria
- [ ] X25519 key exchange produces shared secret
- [ ] Messages encrypt and decrypt correctly between two parties
- [ ] Different messages produce different ciphertexts
- [ ] Forward secrecy: old keys cannot decrypt new messages
- [ ] Out-of-order messages can be decrypted
- [ ] Tampered messages are rejected by authentication
Related Skills
pinkpixel-dev/implementing-rapid7-insightvm-for-scanning
development
VerifiedTrustedCommunity
Deploy and configure Rapid7 InsightVM Security Console and Scan Engines for authenticated and unauthenticated vulnerability scanning across enterprise environments.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-kill-switch-detection
testing
VerifiedTrustedCommunity
Detects and exploits ransomware kill switch mechanisms including mutex-based execution guards, domain-based kill switches, and registry-based termination checks. Implements proactive mutex vaccination and kill switch domain monitoring to prevent ransomware from executing. Activates for requests involving ransomware kill switch analysis, mutex vaccination, WannaCry-style domain kill switches, or malware execution guard detection.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-ransomware-backup-strategy
testing
VerifiedTrustedCommunity
Designs and implements a ransomware-resilient backup strategy following the 3-2-1-1-0 methodology (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors on restore verification). Configures backup schedules aligned to RPO/RTO requirements, implements backup credential isolation to prevent ransomware from compromising backup infrastructure, and establishes automated restore testing. Activates for requests involving ransomware backup planning, backup resilience, air-gapped backup design, or backup recovery point objective configuration.
1SKILL.mdUpdated May 29, 2026
pinkpixel-dev/implementing-purdue-model-network-segmentation
testing
VerifiedTrustedCommunity
Implement network segmentation based on the Purdue Enterprise Reference Architecture (PERA) model to separate industrial control system networks into hierarchical security zones from Level 0 physical process through Level 5 enterprise, enforcing strict traffic control between OT and IT domains.
1SKILL.mdUpdated May 29, 2026