Crypto Tools Server
FreeNot checkedDefense-grade cryptographic compliance and analysis tools for MCP, including FIPS 140-3 validation, CNSA 2.0 analysis, post-quantum readiness assessment, and cl
About
Defense-grade cryptographic compliance and analysis tools for MCP, including FIPS 140-3 validation, CNSA 2.0 analysis, post-quantum readiness assessment, and classical cipher utilities.
README
Crypto Tools MCP Server
MCP Python-3.10+ License Tests Coverage FIPS 140-3 CNSA 2.0 Post-Quantum Part of Agentic System
Defense-grade cryptographic compliance and analysis tools for MCP.
Part of the Agentic System - a 24/7 autonomous AI framework with persistent memory.
Features
Defense Compliance Modules
- FIPS 140-3 Validator - Validate algorithms against Federal Information Processing Standards
- CNSA 2.0 Analyzer - NSA Commercial National Security Algorithm Suite readiness
- Post-Quantum Readiness - NIST FIPS 203/204/205 quantum vulnerability assessment
- Key Lifecycle Manager - Key state management per NIST SP 800-57 Part 1 Rev 5
- Crypto Audit Engine - Code/config scanning with CWE mapping and SARIF output
Classical Cryptography
- Caesar Cipher - Encrypt, decrypt, and crack with frequency analysis
- Vigenere Cipher - Polyalphabetic substitution cipher
- XOR Analysis - XOR encryption/decryption and brute-force key recovery
- ROT13 - Self-inverse Caesar variant
- Frequency Analysis - Letter frequency and Index of Coincidence
- Cipher Detection - Automatic cipher type identification
Tools
Compliance Tools
| Tool | Description |
|---|---|
check_fips_compliance |
Validate algorithms against FIPS 140-3 approved list |
analyze_cnsa_compliance |
Check CNSA 2.0 readiness with gap analysis |
assess_pqc_readiness |
Post-quantum cryptography readiness assessment |
manage_key_lifecycle |
Key lifecycle management per SP 800-57 |
audit_crypto_usage |
Scan code for cryptographic issues (CWE mapped) |
generate_compliance_report |
Unified report across all standards |
Classical Crypto Tools
| Tool | Description |
|---|---|
caesar_encrypt |
Encrypt plaintext with Caesar cipher |
caesar_decrypt |
Decrypt ciphertext with known shift |
caesar_crack |
Crack Caesar cipher using frequency analysis |
frequency_analysis |
Analyze letter frequencies in text |
rot13 |
ROT13 encode/decode (self-inverse) |
vigenere_encrypt |
Encrypt with Vigenere cipher |
vigenere_decrypt |
Decrypt with known Vigenere key |
xor_cipher |
XOR encrypt/decrypt with key |
brute_force_xor |
Brute-force XOR with single-byte keys |
detect_cipher_type |
Identify cipher type used |
generate_key |
Generate cryptographically secure random key |
validate_key |
Validate key strength for an algorithm |
FIPS 140-3 Compliance
Validates algorithms against the FIPS 140-3 approved list per NIST SP 800-131A Rev 2.
Approved Algorithms
| Category | Algorithms | Standard |
|---|---|---|
| Symmetric | AES-128, AES-192, AES-256, AES-GCM, AES-CCM | FIPS 197, SP 800-38D |
| Hash | SHA-224, SHA-256, SHA-384, SHA-512, SHA-3 family | FIPS 180-4, FIPS 202 |
| MAC | HMAC-SHA-2, CMAC-AES, GMAC-AES | FIPS 198-1, SP 800-38B |
| Signature | RSA (2048+), ECDSA (P-256/384/521), EdDSA | FIPS 186-5 |
| Post-Quantum | ML-KEM, ML-DSA, SLH-DSA | FIPS 203, 204, 205 |
| DRBG | CTR_DRBG, Hash_DRBG, HMAC_DRBG | SP 800-90A Rev 1 |
| KDF | SP 800-108, SP 800-56C, HKDF, PBKDF2 | SP 800-108, SP 800-56C |
| Key Wrap | AES-KW, AES-KWP | SP 800-38F |
Disallowed Algorithms
| Algorithm | Reason |
|---|---|
| MD5 | Collision attacks trivial |
| SHA-1 | Practical collision attacks (SHAttered, 2017) |
| DES | 56-bit key, brute-forceable since 1998 |
| 3DES/TDEA | 64-bit block size (Sweet32), deprecated 2023 |
| RC4 | Statistical biases, banned in TLS |
| Blowfish | 64-bit block size, not FIPS approved |
| Dual_EC_DRBG | NSA backdoor, withdrawn |
Usage Example
check_fips_compliance(algorithms="AES-256,SHA-384,RSA-2048,MD5,3DES")
CNSA 2.0 (National Security Systems)
Analyzes cryptographic posture against NSA's Commercial National Security Algorithm Suite 2.0.
CNSA 2.0 Required Algorithms
| Use Case | Algorithm | Parameter |
|---|---|---|
| Symmetric Encryption | AES-256 | 256-bit key (not 128/192) |
| Hashing | SHA-384 | Minimum (not SHA-256) |
| Key Encapsulation | ML-KEM-1024 | NIST Level 5 (not 512/768) |
| Digital Signatures | ML-DSA-87 | NIST Level 5 (not 44/65) |
| Hash-Based Signatures | SLH-DSA-256 | NIST Level 5 (alternative) |
CNSA 2.0 Transition Timeline
| Category | Deadline | Requirement |
|---|---|---|
| Software/firmware signing | 2025 | ML-DSA-87 or SLH-DSA-256 |
| Web servers/browsers (TLS) | 2025 | ML-KEM-1024 + ML-DSA-87 |
| Cloud services | 2025 | Full CNSA 2.0 suite |
| Networking equipment | 2026 | ML-KEM-1024 + ML-DSA-87 |
| Operating systems | 2027 | Native PQC support |
| Custom/niche applications | 2030 | Complete PQC migration |
| All NSS (full compliance) | 2033 | Classical algorithms retired |
CNSA 1.0 vs 2.0
| Use Case | CNSA 1.0 | CNSA 2.0 | Change |
|---|---|---|---|
| Symmetric | AES-256 | AES-256 | No change |
| Hash | SHA-384 | SHA-384 | No change |
| Signatures | ECDSA-P384, RSA-3072+ | ML-DSA-87, SLH-DSA-256 | Classical -> PQC |
| Key Exchange | ECDH-P384, DH-3072+ | ML-KEM-1024 | ECDH -> Lattice KEM |
Usage Example
analyze_cnsa_compliance(algorithms="AES-256,ECDSA-P384,SHA-256,RSA-2048")
Post-Quantum Cryptography (FIPS 203/204/205)
Assesses readiness for the quantum computing threat per NIST post-quantum standards.
NIST PQC Standards
| Standard | Algorithm | Type | NIST Level | Key Size | Sig/CT Size |
|---|---|---|---|---|---|
| FIPS 203 | ML-KEM-512 | KEM | 1 | 800 B | 768 B |
| FIPS 203 | ML-KEM-768 | KEM | 3 | 1,184 B | 1,088 B |
| FIPS 203 | ML-KEM-1024 | KEM | 5 | 1,568 B | 1,568 B |
| FIPS 204 | ML-DSA-44 | Signature | 2 | 1,312 B | 2,420 B |
| FIPS 204 | ML-DSA-65 | Signature | 3 | 1,952 B | 3,309 B |
| FIPS 204 | ML-DSA-87 | Signature | 5 | 2,592 B | 4,627 B |
| FIPS 205 | SLH-DSA-128s | Signature | 1 | 32 B | 7,856 B |
| FIPS 205 | SLH-DSA-256s | Signature | 5 | 64 B | 29,792 B |
Quantum Vulnerability
| Algorithm | Attack | Quantum Security |
|---|---|---|
| RSA (all sizes) | Shor's algorithm | 0 bits (broken) |
| ECDSA/ECDH (all curves) | Shor's algorithm | 0 bits (broken) |
| DH (all sizes) | Shor's algorithm | 0 bits (broken) |
| AES-128 | Grover's algorithm | 64 bits (reduced) |
| AES-256 | Grover's algorithm | 128 bits (adequate) |
| SHA-256 | Grover's algorithm | 128 bits (adequate) |
HNDL Threat Assessment
Harvest-Now-Decrypt-Later (HNDL): adversaries intercept encrypted data today to decrypt once quantum computers are available. The tool calculates HNDL risk based on data sensitivity, shelf life, and algorithm vulnerability.
Usage Example
assess_pqc_readiness(
algorithms="RSA-2048,ECDSA-P256,AES-256,SHA-256",
data_sensitivity="critical",
data_shelf_life_years=15,
system_type="nss"
)
Key Lifecycle Management (SP 800-57)
Manages cryptographic key states and cryptoperiods per NIST SP 800-57 Part 1 Rev 5.
Key States
Pre-activation -> Active -> Deactivated -> Destroyed
| |
v v
Suspended Compromised -> Destroyed-Compromised
Cryptoperiod Limits
| Key Type | Max Active Period |
|---|---|
| Session key (TLS) | 24 hours |
| API key | 90 days |
| Master key | 1 year |
| SSH key | 1 year |
| TLS certificate key | 398 days |
| Symmetric encryption | 2 years |
| Signing private key | 3 years |
| Intermediate CA | 3-5 years |
| Root CA | 10-20 years |
Usage Examples
# Create and track a key
manage_key_lifecycle(action="create", key_id="prod-aes-1", name="Production AES Key",
key_type="symmetric_encryption", algorithm="AES-256",
owner="security-team", location="AWS KMS")
# Activate the key
manage_key_lifecycle(action="transition", key_id="prod-aes-1", new_state="active")
# Check compliance
manage_key_lifecycle(action="check", key_id="prod-aes-1")
# Get full inventory
manage_key_lifecycle(action="inventory")
# Check rotation schedule
manage_key_lifecycle(action="rotation")
# Validate key management practices
manage_key_lifecycle(action="validate_practice",
practice_description="Keys stored in HSM with RBAC, rotated annually...")
Crypto Audit Engine
Scans code and configuration for cryptographic security issues with CWE mapping.
Detection Categories
| Category | Rules | CWE IDs |
|---|---|---|
| Hardcoded Secrets | Keys, AWS creds, hex material | CWE-798 |
| Weak Random | Non-CSPRNG usage | CWE-330, CWE-338 |
| Broken Algorithms | MD5, SHA-1, DES, RC4 | CWE-327, CWE-328 |
| Insecure Modes | ECB, CBC without HMAC | CWE-327 |
| Missing KDF | Raw password as key | CWE-327 |
| Weak Key Length | RSA <2048, short symmetric | CWE-326 |
| Certificate Issues | verify=False, CERT_NONE | CWE-295 |
| Insecure TLS | SSLv3, TLS 1.0, TLS 1.1 | CWE-757 |
| Timing Attacks | Non-constant-time comparison | CWE-208 |
SARIF Output
The audit engine outputs SARIF (Static Analysis Results Interchange Format) for CI/CD integration with GitHub Code Scanning, Azure DevOps, and other platforms.
Usage Example
# Audit source code
audit_crypto_usage(text="import hashlib\nh = hashlib.md5(data)\nkey = 'hardcoded_secret_key'")
# Get SARIF output for CI/CD
audit_crypto_usage(text=source_code, output_format="sarif")
Comprehensive Compliance Report
Generate a unified report covering all standards.
generate_compliance_report(
algorithms="AES-256,RSA-2048,SHA-256,ECDSA-P256",
scan_text=source_code,
system_type="federal",
data_sensitivity="high",
data_shelf_life_years=10
)
Compliance Coverage Matrix
| Standard | Control | Coverage |
|---|---|---|
| FIPS 140-3 | Algorithm validation | Full |
| SP 800-131A Rev 2 | Algorithm transitions | Full |
| SP 800-57 Part 1 | Key management | Full |
| SP 800-53 SC-12 | Key establishment | Full |
| SP 800-53 SC-13 | Cryptographic protection | Full |
| SP 800-53 SC-17 | PKI certificates | Partial |
| SP 800-53 SC-28 | Information at rest | Partial |
| CNSA 2.0 | NSS algorithm suite | Full |
| CNSSP 15 | AES policy | Full |
| FIPS 203 | ML-KEM | Full |
| FIPS 204 | ML-DSA | Full |
| FIPS 205 | SLH-DSA | Full |
| OMB M-23-02 | PQC migration | Full |
| SP 800-88 | Media sanitization | Guidance |
Testing
# Run all tests with coverage
python -m pytest tests/ -v --cov=crypto_tools_mcp --cov-report=term-missing
# Run compliance tests only
python -m pytest tests/test_compliance.py -v
# Run classical cipher tests only
python -m pytest tests/test_encryption.py tests/test_hashing.py -v
Test coverage: 412 tests across 6 test modules covering classical ciphers, key management, MCP tool registration, and all five compliance modules (FIPS, CNSA, PQC, Key Lifecycle, Crypto Audit).
Installation
# Clone and install
git clone https://github.com/marc-shade/crypto-tools-mcp.git
cd crypto-tools-mcp
pip install -e .
# Or install with uv
uv pip install -e .
MCP Configuration
Add to your Claude Desktop or MCP client configuration:
{
"mcpServers": {
"crypto-tools": {
"command": "crypto-tools-mcp"
}
}
}
Part of the MCP Ecosystem
This server integrates with other MCP servers for comprehensive AGI capabilities:
| Server | Purpose |
|---|---|
| enhanced-memory-mcp | 4-tier persistent memory with semantic search |
| agent-runtime-mcp | Persistent task queues and goal decomposition |
| agi-mcp | Full AGI orchestration with 21 tools |
| cluster-execution-mcp | Distributed task routing across nodes |
| node-chat-mcp | Inter-node AI communication |
| ember-mcp | Production-only policy enforcement |
See agentic-system-oss for the complete framework.
Install Crypto Tools Server in Claude Desktop, Claude Code & Cursor
unyly install crypto-tools-mcp-serverInstalls into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.
First time? Get the CLI: curl -fsSL https://unyly.org/install | sh
Or configure manually
Run in your terminal:
claude mcp add crypto-tools-mcp-server -- uvx --from git+https://github.com/marc-shade/crypto-tools-mcp crypto-tools-mcpFAQ
Is Crypto Tools Server MCP free?
Yes, Crypto Tools Server MCP is free — one-click install via Unyly at no cost.
Does Crypto Tools Server need an API key?
No, Crypto Tools Server runs without API keys or environment variables.
Is Crypto Tools Server hosted or self-hosted?
A hosted option is available: Unyly runs the server in the cloud, no local setup required.
How do I install Crypto Tools Server in Claude Desktop, Claude Code or Cursor?
Open Crypto Tools Server on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
Stripe
Payments, customers, subscriptions
by Stripemalamutemayhem/unclick-agent-native-endpoints
110+ tools for AI agents spanning social media, finance, gaming, music, AU-specific services, and utilities. Zero-config local tools plus platform connectors. n
by malamutemayhemwhiteknightonhorse/APIbase
Unified API hub for AI agents with 56+ tools across travel (Amadeus, Sabre), prediction markets (Polymarket), crypto, and weather. Pay-per-call via x402 micropa
by whiteknightonhorsetrackerfitness729-jpg/sitelauncher-mcp-server
Deploy live HTTPS websites in seconds. Instant subdomains ($1 USDC) or custom .xyz domains ($10 USDC) on Base chain. Templates for crypto tokens and AI agent pr
Compare Crypto Tools Server with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All finance MCPs
