Encryption Model
DocsProtocol ConceptsEncryption Model

Encryption Model

AEAD, nonce construction, and key derivation

KSP uses Authenticated Encryption with Associated Data (AEAD) to protect both confidentiality and integrity. The 48-byte header remains unencrypted to allow network intermediate parsing, but is included as Additional Authenticated Data (AAD) in the AEAD algorithm.

Key Derivation (HKDF-SHA256)

Once the X25519 ephemeral key exchange completes, the shared Diffie-Hellman secret is extracted. KSP applies HKDF-Extract and HKDF-Expand steps:

salt = client_random || server_random  (64 bytes)
PRK  = HKDF-Extract(salt, shared_secret)

# Expanded keys
client_write_key = HKDF-Expand(PRK, "ksp1 client write key", 32)
server_write_key = HKDF-Expand(PRK, "ksp1 server write key", 32)
client_write_iv  = HKDF-Expand(PRK, "ksp1 client write iv",  12)
server_write_iv  = HKDF-Expand(PRK, "ksp1 server write iv",  12)

Nonce Construction

To prevent replay attacks and ensure uniqueness, the AEAD nonce (12 bytes) is dynamically constructed for each packet by XORing the sequence number with the base IV:

Sequence Number (8 bytes) -> Left-padded with 4 bytes of zeros to form 12 bytes:
[ 0x00, 0x00, 0x00, 0x00, seq_7, seq_6, seq_5, seq_4, seq_3, seq_2, seq_1, seq_0 ]

Nonce = write_iv XOR padded_sequence_number

AEAD Processing

  • Encryption: The payload is encrypted using the negotiated algorithm (AES-256-GCM or ChaCha20-Poly1305). The 48-byte header is supplied as AAD.
  • Authentication Tag: A 16-byte cryptographic tag is appended to the packet. If any bit in the header or ciphertext is altered, decryption fails.