Red Specter CIPHER

Cryptographic Attack & Disruption Engine — 8 subsystems, 476 tests, live JWT/TLS/timing validated.

v1.0.0 Operational Tool 50 476 Tests 8 Subsystems UNLEASHED Gate WARLORD Compatible

Contents

Overview Subsystems Subsystem Details CLI Reference Quick Start UNLEASHED Gate Target Systems WARLORD Integration Installation Key Features Disclaimer

Overview

Red Specter CIPHER attacks the cryptographic layer of AI agent infrastructure. It breaks keys, downgrades protocols, harvests secrets from agent memory, and exploits timing side-channels in TLS and JWT implementations.

AI agents depend on cryptography at every layer: TLS for transport, JWT for identity and authorisation, ECDSA/RSA for signing, HSMs and config stores for key material. CIPHER treats every one of these as an attack surface. Assess post-quantum readiness, break weak key implementations, harvest secrets from discoverable surfaces, and shatter certificate trust chains. The cryptographic layer is where identity, confidentiality, and integrity live. CIPHER breaks all three.

Live validated against JWT RS256/HS256 implementations, TLS downgrade (POODLE-class), and ECDSA nonce reuse recovery. Every finding is Ed25519 signed.

The 8 Subsystems

#	Subsystem	Command	Role
01	KEYBREAK	cipher keybreak	Weak key detection and factoring — RSA, EC, DH key analysis
02	DOWNGRADE	cipher downgrade	TLS and cipher suite downgrade attacks — POODLE-class, BEAST, SWEET32
03	KEYHARVEST	cipher keyharvest	Extract key material from agent memory, config files, and environment
04	QUANTUM	cipher quantum	Post-quantum readiness assessment — identify quantum-vulnerable cryptography
05	TRUSTBREAK	cipher trustbreak	Certificate chain attacks — CA trust abuse, OCSP bypass, CT log manipulation
06	TIMING	cipher timing	Timing oracle attacks on crypto operations — TLS, JWT, MAC, ECDSA nonce recovery
07	HARVEST	cipher harvest	Bulk secret extraction from all discovered surfaces in a single sweep
08	REPORT	cipher report	Aggregate findings into a signed report with remediation guidance

Subsystem Details

01 KEYBREAK cipher keybreak

Analyses target cryptographic keys for weakness and factorability. Covers RSA, elliptic curve, and Diffie-Hellman implementations commonly used in AI agent identity and transport layers.

RSA small key detection — flag keys below 2048-bit; attempt factoring for keys below 512-bit
Common factor attack — detect shared prime factors across multiple RSA keys (GCD attack)
EC weak curve detection — identify deprecated or deliberately weak curves (Dual_EC_DRBG, Brainpool anomalies)
DH small group detection — flag Logjam-vulnerable DH parameters below 1024-bit
ECDSA nonce reuse — detect and exploit nonce reuse to recover private keys (lattice attack)
JWT weak secret detection — brute-force HS256/HS384/HS512 secrets against wordlists and common patterns

Passive enumeration requires no gate. Active factoring and exploitation requires --override.

02 DOWNGRADE cipher downgrade

Forces TLS protocol and cipher suite downgrades to expose AI agent traffic to interception and decryption. Validated against POODLE-class and related padding oracle vulnerabilities.

TLS version downgrade — force TLS 1.0/1.1 negotiation on TLS 1.3-capable endpoints
POODLE-class attacks — SSLv3 CBC padding oracle exploitation
BEAST — TLS 1.0 CBC chosen-plaintext attack surface detection
SWEET32 — 64-bit block cipher birthday attack (3DES, Blowfish) exposure assessment
RC4 detection — identify RC4-accepting endpoints vulnerable to statistical attacks
Cipher suite enumeration — full JARM-style fingerprint with weak-suite identification and ranking

Requires --override.

03 KEYHARVEST cipher keyharvest

Extracts cryptographic key material from the agent's discoverable attack surface: process memory, configuration files, environment variables, Vault instances, and Kubernetes secrets.

Environment variable scanning — extract API keys, JWT secrets, certificate private keys from agent env
Config file scraping — parse common config paths for PEM blocks, hex key strings, base64 secrets
Vault secret enumeration — list and extract from HashiCorp Vault using discovered tokens
Kubernetes secret extraction — enumerate K8s secrets accessible from agent service account context
Process memory probing — locate private key material in agent process memory maps
JWT secret extraction — recover HS* signing secrets from accessible token validation endpoints

Requires --override.

04 QUANTUM cipher quantum

Passive assessment of post-quantum readiness. Maps all cryptographic primitives in the target's TLS, JWT, and signing stack against the NIST PQC finalised standards (ML-KEM, ML-DSA, SLH-DSA).

RSA/ECC harvest-now-decrypt-later risk — quantify data at risk from Shor's algorithm when quantum compute matures
TLS key exchange audit — identify whether post-quantum KEM hybrids are in use (X25519Kyber768)
JWT algorithm quantum-vulnerability mapping — RS256/ES256 vs PQC-safe alternatives
NIST PQC compliance scoring — per-endpoint readiness score against FIPS 203/204/205 standards
Migration priority report — ranked remediation path based on data sensitivity and algorithm exposure

Fully passive. No --override required.

05 TRUSTBREAK cipher trustbreak

Attacks the certificate trust chain underpinning AI agent mTLS, webhook validation, and API gateway authentication.

Certificate chain validation abuse — test for improper chain building and CA constraint bypasses
OCSP stapling bypass — force revocation check failures to accept revoked certificates
CT log analysis — mine Certificate Transparency logs for shadow certificates and mis-issuance
Pinning bypass — test certificate pinning implementations for bypass via intermediate substitution
Self-signed certificate acceptance — probe agent endpoints for improper certificate validation
SubjectAltName manipulation — wildcard and SAN matching edge case exploitation

Requires --override.

06 TIMING cipher timing

Statistical timing analysis against cryptographic operations. Measures response-time distributions to infer secret values, detect padding oracles, and recover ECDSA nonce bias.

TLS padding oracle timing — statistical distinguisher for CBC padding validation timing differences
JWT MAC timing — time HMAC comparison to infer secret length and value
ECDSA nonce bias detection — lattice-based nonce bias recovery from signing timing distributions
Bleichenbacher-style RSA timing — PKCS#1 v1.5 decryption oracle timing analysis
Statistical engine — Welch's t-test, Mann-Whitney U, and bootstrap CI for significance testing across sample sets

Passive enumeration (no gate). Active exploitation uses --override. Configurable sample count via --samples.

07 HARVEST cipher harvest

Orchestrated bulk secret extraction sweep. Runs KEYBREAK, KEYHARVEST, and TIMING discovery phases across all surfaces discovered by earlier subsystems in a single coordinated pass.

Surface aggregation — collates all previously discovered endpoints, config surfaces, and key material locations
Priority-ordered extraction — high-value targets first (private keys, JWT secrets, Vault tokens)
De-duplication — normalises and deduplicates across KEYBREAK and KEYHARVEST findings
Scoring — severity-scored per secret: CRITICAL (private keys), HIGH (JWT secrets), MEDIUM (API keys), LOW (public material)
WARLORD handoff — outputs structured secret inventory for downstream tool chaining

Requires --override.

08 REPORT cipher report

Aggregates all subsystem outputs into a unified signed report. Ed25519-signed evidence bundle with per-finding severity, remediation guidance, and WARLORD-compatible structured output.

Ed25519 signing — cryptographically signed output for evidence integrity
Severity mapping — CRITICAL / HIGH / MEDIUM / LOW per finding class
Remediation guidance — per-finding actionable remediation with migration priorities
JSON evidence bundle — machine-ingestible output for WARLORD and SIEM pipelines
Markdown report — human-readable engagement output

CLI Reference

KEYBREAK — Weak key detection and factoring

$ cipher keybreak --target <URL> [--alg rsa|ec|dh]

  --target   Target endpoint URL [required]
  --alg      Limit to specific algorithm type [optional — all if omitted]
    

DOWNGRADE — TLS/cipher suite downgrade attacks

$ cipher downgrade --target <URL> [--override]

  --target     Target TLS endpoint [required]
  --override   Activate UNLEASHED gate [required for active downgrade]
    

KEYHARVEST — Extract keys from agent memory and config

$ cipher keyharvest --target <URL> [--override]

  --target     Target agent base URL [required]
  --override   Activate UNLEASHED gate [required]
    

QUANTUM — Post-quantum readiness assessment

$ cipher quantum --target <URL>

  --target   Target endpoint URL [required — passive, no gate needed]

TRUSTBREAK — Certificate chain attacks

$ cipher trustbreak --target <URL> [--override]

  --target     Target TLS endpoint [required]
  --override   Activate UNLEASHED gate [required for active attacks]
    

TIMING — Timing oracle attacks on crypto operations

$ cipher timing --target <URL> [--samples <N>]

  --target    Target endpoint URL [required]
  --samples   Number of timing samples to collect [default: 1000]
    

HARVEST — Bulk secret extraction

$ cipher harvest --target <URL> [--override]

  --target     Target agent base URL [required]
  --override   Activate UNLEASHED gate [required]
    

REPORT — Signed output

$ cipher report --input <scan.json> [--format md|json]

  --input    Input scan results file [required]
  --format   Output format: md or json [default: json]
    

Quick Start

Weak key and timing scan

$ cipher keybreak --target https://target.example.com
# Passive key analysis — no gate required
# Detects RSA key size, EC curve, DH group weaknesses
# Flags ECDSA nonce reuse potential
    

$ cipher timing --target https://target.example.com --samples 2000
# Collects 2000 TLS/JWT timing samples
# Runs Welch's t-test and Mann-Whitney U for significance
# Reports timing oracle presence with confidence intervals
    

Full cryptographic sweep

$ cipher harvest --target https://target.example.com --override
# Runs KEYBREAK + KEYHARVEST + TIMING discovery in sequence
# Aggregates and de-duplicates all findings
$ cipher report --input harvest-results.json --format md
    

CIPHER UNLEASHED

CIPHER uses the UNLEASHED dual-gate system. Passive discovery requires no gate. Active exploitation requires cryptographic authorisation.

KEYBREAK (passive enumeration) — no gate required
QUANTUM — fully passive, no gate required
TIMING (passive collection) — no gate required
DOWNGRADE — requires --override
KEYHARVEST — requires --override
TRUSTBREAK — requires --override
HARVEST — requires --override

The UNLEASHED gate verifies the operator's Ed25519 private key before any active exploitation executes. Unsigned invocations produce a dry-run trace with no live actions.

Target Systems

TLS 1.2/1.3 endpoints — AI agent API gateways, model serving endpoints, webhook receivers
JWT signing services — RS256/HS256/ES256 identity and authorisation tokens
HSMs — Hardware Security Module key material access surface
Agent config stores — environment variables, Kubernetes secrets, HashiCorp Vault
Vault instances — HashiCorp Vault secret enumeration and extraction

Live validated: JWT RS256/HS256, TLS downgrade (POODLE-class), ECDSA nonce reuse private key recovery.

WARLORD Integration

CIPHER is registered in the WARLORD autonomous campaign registry. It can be orchestrated as part of multi-tool campaigns targeting AI agent cryptographic infrastructure.

$ warlord --tool cipher --mode keybreak

Typical WARLORD campaign sequence pairing CIPHER with other NIGHTFALL tools:

IDRIS — agent discovery and TLS endpoint enumeration
CIPHER KEYBREAK + QUANTUM — passive cryptographic baseline
CIPHER TIMING — timing side-channel collection
CIPHER DOWNGRADE + KEYHARVEST — active exploitation with UNLEASHED gate
CIPHER HARVEST — bulk secret extraction sweep
DELEGATE / CRUCIBLE — use recovered keys to attack agent identity layer
CIPHER REPORT — signed engagement output

Installation

From source

$ cd /path/to/red-specter-cipher
$ pip install -e .
$ cipher --version
# CIPHER v1.0.0 — Cryptographic Attack & Disruption Engine
    

Requirements

Python 3.11+
httpx — async HTTP client with TLS control
typer — CLI framework
rich — terminal formatting
pydantic — data validation
cryptography — Ed25519 signing, key analysis, RSA/EC primitives
scipy — Welch's t-test, Mann-Whitney U for timing analysis
numpy — timing sample statistics
hvac — HashiCorp Vault API client

Key Features

476 Tests Passing Full test suite across all 8 subsystems, zero failures

Live Validated JWT RS256/HS256, TLS POODLE-class, ECDSA nonce reuse recovery

Ed25519 Signed Reports Every REPORT output cryptographically signed for evidence integrity

UNLEASHED Dual-Gate Passive assessment to active exploitation, key-controlled

Post-Quantum Assessment NIST PQC readiness scoring — FIPS 203/204/205 compliance mapping

WARLORD Compatible Registered in autonomous campaign registry, multi-tool chaining supported

Disclaimer

Red Specter CIPHER is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the system owner before running any CIPHER operation against a target. Key extraction and timing oracle operations may expose sensitive cryptographic material. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse.