Encryption Model
Encryption Model
AEAD, nonce construction, and key derivation
KSP uses Authenticated Encryption with Associated Data (AEAD) to protect both confidentiality and integrity. The 48-byte header remains unencrypted to allow network intermediate parsing, but is included as Additional Authenticated Data (AAD) in the AEAD algorithm.
Key Derivation (HKDF-SHA256)
Once the X25519 ephemeral key exchange completes, the shared Diffie-Hellman secret is extracted. KSP applies HKDF-Extract and HKDF-Expand steps:
salt = client_random || server_random (64 bytes) PRK = HKDF-Extract(salt, shared_secret) # Expanded keys client_write_key = HKDF-Expand(PRK, "ksp1 client write key", 32) server_write_key = HKDF-Expand(PRK, "ksp1 server write key", 32) client_write_iv = HKDF-Expand(PRK, "ksp1 client write iv", 12) server_write_iv = HKDF-Expand(PRK, "ksp1 server write iv", 12)
Nonce Construction
To prevent replay attacks and ensure uniqueness, the AEAD nonce (12 bytes) is dynamically constructed for each packet by XORing the sequence number with the base IV:
Sequence Number (8 bytes) -> Left-padded with 4 bytes of zeros to form 12 bytes: [ 0x00, 0x00, 0x00, 0x00, seq_7, seq_6, seq_5, seq_4, seq_3, seq_2, seq_1, seq_0 ] Nonce = write_iv XOR padded_sequence_number
AEAD Processing
- Encryption: The payload is encrypted using the negotiated algorithm (AES-256-GCM or ChaCha20-Poly1305). The 48-byte header is supplied as AAD.
- Authentication Tag: A 16-byte cryptographic tag is appended to the packet. If any bit in the header or ciphertext is altered, decryption fails.