Object.Encryption (object v0.1.2)

End-to-end encryption for Object network communication.

Provides strong cryptographic guarantees for Object-to-Object communication including identity verification, forward secrecy, and message authentication.

Features

  • X25519 ECDH for key exchange
  • Ed25519 for digital signatures
  • ChaCha20-Poly1305 for authenticated encryption
  • Double Ratchet algorithm for forward secrecy
  • Certificate-based identity verification
  • Optional onion routing for anonymity

Summary

Types

certificate()
identity()
keypair()
session()
state()

Functions

child_spec(init_arg)

Returns a specification to start this module under a supervisor.

create_onion_message(plaintext, route)

Creates an onion-encrypted message for anonymous routing.

decrypt_message(peer_id, ciphertext)

Decrypts a message from a specific peer.

encrypt_message(peer_id, plaintext)

Encrypts a message for a specific peer.

establish_session(peer_id, peer_certificate)

Establishes an encrypted session with a peer.

generate_identity(node_id)

Generates a new identity with keypairs and self-signed certificate.

process_onion_message(onion)

Processes an onion-encrypted message.

sign(data)

Signs data with the node's signing key.

start_link(opts \\ [])

Starts the encryption service.

verify(peer_id, data, signature)

Verifies a signature from a peer.

Types

certificate()

@type certificate() :: %{
  subject_id: binary(),
  public_signing_key: binary(),
  public_encryption_key: binary(),
  issuer_id: binary() | :self,
  signature: binary(),
  issued_at: DateTime.t(),
  expires_at: DateTime.t()
}

identity()

@type identity() :: %{
  id: binary(),
  signing_key: keypair(),
  encryption_key: keypair(),
  certificate: certificate()
}

keypair()

@type keypair() :: %{public: binary(), private: binary()}

session()

@type session() :: %{
  peer_id: binary(),
  peer_certificate: certificate(),
  root_key: binary(),
  chain_keys: %{send: binary(), receive: binary()},
  message_keys: %{send: [binary()], receive: [binary()]},
  counters: %{send: non_neg_integer(), receive: non_neg_integer()},
  handshake_state: :pending | :completed,
  last_activity: DateTime.t()
}

state()

@type state() :: %{
  identity: identity(),
  sessions: %{required(binary()) => session()},
  trusted_certificates: %{required(binary()) => certificate()},
  onion_routes: %{required(binary()) => [binary()]},
  config: map()
}

Functions

child_spec(init_arg)

Returns a specification to start this module under a supervisor.

See Supervisor.

create_onion_message(plaintext, route)

@spec create_onion_message(binary(), [binary()]) :: {:ok, binary()} | {:error, term()}

Creates an onion-encrypted message for anonymous routing.

decrypt_message(peer_id, ciphertext)

@spec decrypt_message(binary(), binary()) :: {:ok, binary()} | {:error, term()}

Decrypts a message from a specific peer.

encrypt_message(peer_id, plaintext)

@spec encrypt_message(binary(), binary()) :: {:ok, binary()} | {:error, term()}

Encrypts a message for a specific peer.

establish_session(peer_id, peer_certificate)

@spec establish_session(binary(), certificate()) :: :ok | {:error, term()}

Establishes an encrypted session with a peer.

generate_identity(node_id)

@spec generate_identity(binary()) :: {:ok, identity()} | {:error, term()}

Generates a new identity with keypairs and self-signed certificate.

process_onion_message(onion)

@spec process_onion_message(binary()) ::
  {:ok, binary(), binary() | :final} | {:error, term()}

Processes an onion-encrypted message.

sign(data)

@spec sign(binary()) :: {:ok, binary()} | {:error, term()}

Signs data with the node's signing key.

start_link(opts \\ [])

Starts the encryption service.

verify(peer_id, data, signature)

@spec verify(binary(), binary(), binary()) :: boolean()

Verifies a signature from a peer.