Encryption Layers

KayakNet uses multiple layers of encryption to protect your data.

Overview

┌─────────────────────────────────────────────────┐
│  Layer 4: Application E2E Encryption            │
│  (Chat messages, delivery info, etc.)           │
├─────────────────────────────────────────────────┤
│  Layer 3: Onion Routing Encryption              │
│  (3 nested layers, one per hop)                 │
├─────────────────────────────────────────────────┤
│  Layer 2: Transport Encryption (TLS 1.3)        │
│  (Per-connection encryption)                    │
├─────────────────────────────────────────────────┤
│  Layer 1: Physical Transport                    │
│  (TCP/UDP packets)                              │
└─────────────────────────────────────────────────┘

Layer 1: Transport Encryption

Every connection between nodes uses TLS 1.3:

Cipher Suite: TLS_CHACHA20_POLY1305_SHA256
Key Exchange: X25519
Certificate: Self-signed Ed25519

What It Protects

Content of packets between directly connected peers
Node identity (certificate includes public key)

What It Doesn't Protect

Traffic patterns (timing, size)
Metadata (who's talking to whom)

Layer 2: Onion Routing

Messages are wrapped in 3 layers of encryption:

Sender encrypts:
  Layer 3 key → for Exit Node
    Layer 2 key → for Middle Node
      Layer 1 key → for Entry Node
        Message

Key Exchange

Each hop gets its own ephemeral key:

Sender generates X25519 keypair
ECDH with hop's public key
HKDF to derive symmetric key
ChaCha20-Poly1305 encryption

Header Format

┌──────────────────────────────────┐
│ Ephemeral Public Key (32 bytes)  │
├──────────────────────────────────┤
│ Next Hop (encrypted)             │
├──────────────────────────────────┤
│ Payload (encrypted)              │
└──────────────────────────────────┘

Layer 3: Application E2E

Chat messages and sensitive data have additional encryption:

Chat Room Keys

Symmetric key shared by room members
Rotated when membership changes
ChaCha20-Poly1305

Direct Messages

X25519 key exchange with recipient
Per-message key derivation (forward secrecy)
Ed25519 signature for authentication

Escrow Data

Delivery info encrypted to seller's key
Only seller can decrypt

Cryptographic Primitives

Purpose

Algorithm

Standard

Signatures

Ed25519

RFC 8032

Key Exchange

X25519

RFC 7748

Symmetric Encryption

ChaCha20-Poly1305

RFC 8439

Key Derivation

HKDF-SHA256

RFC 5869

Hashing

BLAKE2b-256

RFC 7693

Key Management

Node Identity Key

Ed25519 keypair
Generated on first run
Stored in identity.key
Never transmitted

Session Keys

Ephemeral per-connection
X25519 exchange
Destroyed after use

Room Keys

Generated by room creator
Encrypted to each member
Rotated on membership change

Forward Secrecy

KayakNet provides forward secrecy through:

Ephemeral Keys - New keys per session
Key Rotation - Regular key changes
Key Destruction - Old keys deleted

If your long-term key is compromised:

Past messages remain encrypted
Only future messages affected

Quantum Resistance

Current algorithms are NOT quantum-resistant. Planned upgrades:

CRYSTALS-Kyber - Post-quantum key exchange
CRYSTALS-Dilithium - Post-quantum signatures
Hybrid Mode - Classical + PQ for transition

Implementation Details

Random Number Generation

// Using crypto/rand for all randomness
import "crypto/rand"

key := make([]byte, 32)
rand.Read(key)

Constant-Time Operations

All cryptographic comparisons use constant-time functions:

import "crypto/subtle"

if subtle.ConstantTimeCompare(a, b) == 1 {
    // Equal
}

Memory Security

Sensitive data is:

Zeroed after use
Not logged or printed
Stored in secure memory where possible

Verification

You can verify encryption using packet captures:

# Capture KayakNet traffic
tcpdump -i any port 4242 -w capture.pcap

# Analyze with Wireshark
# All payloads should appear as random data

PreviousSecurity Model NextTraffic Analysis Resistance

Last updated 1 month ago

Good evening

hashtagOverview

hashtagLayer 1: Transport Encryption

hashtagWhat It Protects

hashtagWhat It Doesn't Protect

hashtagLayer 2: Onion Routing

hashtagKey Exchange

hashtagHeader Format

hashtagLayer 3: Application E2E

hashtagChat Room Keys

hashtagDirect Messages

hashtagEscrow Data

hashtagCryptographic Primitives

hashtagKey Management

hashtagNode Identity Key

hashtagSession Keys

hashtagRoom Keys

hashtagForward Secrecy

hashtagQuantum Resistance

hashtagImplementation Details

hashtagRandom Number Generation

hashtagConstant-Time Operations

hashtagMemory Security

hashtagVerification

Overview

Layer 1: Transport Encryption

What It Protects

What It Doesn't Protect

Layer 2: Onion Routing

Key Exchange

Header Format

Layer 3: Application E2E

Chat Room Keys

Direct Messages

Escrow Data

Cryptographic Primitives

Key Management

Node Identity Key

Session Keys

Room Keys

Forward Secrecy

Quantum Resistance

Implementation Details

Random Number Generation

Constant-Time Operations

Memory Security

Verification