Encryption Layers
KayakNet uses multiple layers of encryption to protect your data.
Overview
┌─────────────────────────────────────────────────┐
│ Layer 4: Application E2E Encryption │
│ (Chat messages, delivery info, etc.) │
├─────────────────────────────────────────────────┤
│ Layer 3: Onion Routing Encryption │
│ (3 nested layers, one per hop) │
├─────────────────────────────────────────────────┤
│ Layer 2: Transport Encryption (TLS 1.3) │
│ (Per-connection encryption) │
├─────────────────────────────────────────────────┤
│ Layer 1: Physical Transport │
│ (TCP/UDP packets) │
└─────────────────────────────────────────────────┘Layer 1: Transport Encryption
Every connection between nodes uses TLS 1.3:
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256
Key Exchange: X25519
Certificate: Self-signed Ed25519
What It Protects
Content of packets between directly connected peers
Node identity (certificate includes public key)
What It Doesn't Protect
Traffic patterns (timing, size)
Metadata (who's talking to whom)
Layer 2: Onion Routing
Messages are wrapped in 3 layers of encryption:
Key Exchange
Each hop gets its own ephemeral key:
Sender generates X25519 keypair
ECDH with hop's public key
HKDF to derive symmetric key
ChaCha20-Poly1305 encryption
Header Format
Layer 3: Application E2E
Chat messages and sensitive data have additional encryption:
Chat Room Keys
Symmetric key shared by room members
Rotated when membership changes
ChaCha20-Poly1305
Direct Messages
X25519 key exchange with recipient
Per-message key derivation (forward secrecy)
Ed25519 signature for authentication
Escrow Data
Delivery info encrypted to seller's key
Only seller can decrypt
Cryptographic Primitives
Signatures
Ed25519
RFC 8032
Key Exchange
X25519
RFC 7748
Symmetric Encryption
ChaCha20-Poly1305
RFC 8439
Key Derivation
HKDF-SHA256
RFC 5869
Hashing
BLAKE2b-256
RFC 7693
Key Management
Node Identity Key
Ed25519 keypair
Generated on first run
Stored in
identity.keyNever transmitted
Session Keys
Ephemeral per-connection
X25519 exchange
Destroyed after use
Room Keys
Generated by room creator
Encrypted to each member
Rotated on membership change
Forward Secrecy
KayakNet provides forward secrecy through:
Ephemeral Keys - New keys per session
Key Rotation - Regular key changes
Key Destruction - Old keys deleted
If your long-term key is compromised:
Past messages remain encrypted
Only future messages affected
Quantum Resistance
Current algorithms are NOT quantum-resistant. Planned upgrades:
CRYSTALS-Kyber - Post-quantum key exchange
CRYSTALS-Dilithium - Post-quantum signatures
Hybrid Mode - Classical + PQ for transition
Implementation Details
Random Number Generation
Constant-Time Operations
All cryptographic comparisons use constant-time functions:
Memory Security
Sensitive data is:
Zeroed after use
Not logged or printed
Stored in secure memory where possible
Verification
You can verify encryption using packet captures:
Last updated