@hyperfrontend/network-protocol/securitySecurity
Purpose
The Security module defines the security suite interfaces that combine encryption and obfuscation capabilities. It provides a unified interface for the complete security pipeline used by the protocol.
Key Interfaces
EncryptionSuite<T>
Provides packet encryption and decryption operations with dynamic key support.
interface EncryptionSuite<T = any> {
packetEncryption: PacketEncryption<T> // (packet: UnencryptedPacket<T>) => Promise<UnserializedEncryptedPacket>
packetDecryption: PacketDecryption<T> // (packet: UnserializedEncryptedPacket) => Promise<UnencryptedPacket<T>>
}
ObfuscationSuite
Provides packet obfuscation and deobfuscation operations with time-based passwords.
interface ObfuscationSuite {
packetObfuscation: PacketObfuscation // (packet: SerializedEncryptedPacket) => Promise<ObfuscatedPacket>
packetDeobfuscation: PacketDeobfuscation // (packet: ObfuscatedPacket) => Promise<SerializedEncryptedPacket>
}
SecuritySuite<T>
Combined interface for complete security operations (encryption + obfuscation).
interface SecuritySuite<T = any> extends EncryptionSuite<T>, ObfuscationSuite {
// Inherits all four operations:
// packetEncryption, packetDecryption, packetObfuscation, packetDeobfuscation
}
Security Suite Composition
The security suite is composed from separate encryption and obfuscation components:
Factory Functions
Dynamic Key Encryption Suite
Created by createDynamicKeyEncryptionFactory, this suite uses a key provider function evaluated at each operation.
Location: packet/security/encryption/dynamic-encryption-key.ts
import { createDynamicKeyEncryptionFactory } from '@hyperfrontend/network-protocol/lib/packet/security/encryption'
// Create the factory with platform-specific encryption
const createDynamicKeyEncryption = createDynamicKeyEncryptionFactory(
encryptPacket, // Platform-specific encrypt
decryptPacket // Platform-specific decrypt
)
// Create a suite with a key provider
let currentKey = 'initial-key'
const getKey = () => currentKey
const encryptionSuite = createDynamicKeyEncryption(getKey)
// Key is evaluated at each operation
await encryptionSuite.packetEncryption(packet) // Uses current key
currentKey = 'rotated-key'
await encryptionSuite.packetEncryption(packet) // Uses rotated key
Time-Interval Obfuscation Suite
Created by createTimeIntervalObfuscationFactory, this suite uses time-based passwords with automatic clock-skew handling.
Location: packet/security/obfuscation/time-interval-obfuscation-factory.ts
import { createTimeIntervalObfuscationFactory } from '@hyperfrontend/network-protocol/lib/packet/security/obfuscation'
// Create the factory with platform-specific obfuscation
const createTimeIntervalObfuscation = createTimeIntervalObfuscationFactory(
obfuscatePacket, // Platform-specific obfuscate
deobfuscatePacket, // Platform-specific deobfuscate
getTimeBasedPassword, // Password from time window
getTimeBasedPasswords // Current, previous, next passwords
)
// Create a suite with 60-minute refresh
const obfuscationSuite = createTimeIntervalObfuscation(60)
// Obfuscate with current time window password
await obfuscationSuite.packetObfuscation(serializedPacket)
// Deobfuscate tries current, previous, and next windows
await obfuscationSuite.packetDeobfuscation(obfuscatedPacket)
Platform-Specific Creation
Browser
import { createProtocol } from '@hyperfrontend/network-protocol/browser/v1'
import { createLogger } from '@hyperfrontend/logging'
const logger = createLogger({ level: 'info' })
const protocolProvider = createProtocol(logger, 60)
// The protocol includes:
// - Web Crypto API-based encryption (AES-GCM)
// - Web Crypto API-based obfuscation
// - Time-based password generation
Node.js
import { createProtocol } from '@hyperfrontend/network-protocol/node/v1'
import { createLogger } from '@hyperfrontend/logging'
const logger = createLogger({ level: 'info' })
const protocolProvider = createProtocol(logger, 60)
// The protocol includes:
// - Node.js crypto module-based encryption (AES-256-GCM)
// - Node.js crypto module-based obfuscation
// - Time-based password generation
Encryption Key Management
Dynamic Key Pattern
The encryption suite uses a key provider function that is evaluated at each operation:
// Key captured from incoming packets
let capturedKey: string
const receive = (packet: UnencryptedPacket) => {
capturedKey = packet.data.key // Capture key from peer
handlePacket(packet)
}
const getKey = () => capturedKey
// Encryption suite uses the latest key
const suite = createDynamicKeyEncryption(getKey)
Key Exchange Flow
Obfuscation Password Management
Time-Based Password Generation
Passwords are derived from the current time window:
// Password changes every refreshRate minutes
const password = await getTimeBasedPassword(new Date(), refreshRate, 0)
Clock Skew Tolerance
During deobfuscation, the suite tries multiple time windows:
const { current, previous, next } = getTimeBasedPasswords(new Date(), refreshRate)
// Try in order:
// 1. Current time window password
// 2. Previous time window password (sender clock behind)
// 3. Next time window password (sender clock ahead)
Window Tolerance Example
With refreshRate = 60 (60-minute windows):
Security Pipeline Flow
Outbound (Sending)
Inbound (Receiving)
Security Considerations
Key Rotation
- Dynamic key encryption allows key rotation without protocol reconfiguration
- Keys are exchanged via the
packet.data.keyfield - Consider implementing periodic key rotation for long-lived sessions
Time Synchronization
- Obfuscation depends on synchronized clocks between endpoints
- Built-in tolerance handles up to ±refreshRate minutes of drift
- Monitor for repeated deobfuscation failures (may indicate clock issues)
Refresh Rate Selection
| Refresh Rate | Clock Tolerance | Security Tradeoff |
|---|---|---|
| 1 minute | ±1 minute | Higher security, strict timing |
| 5 minutes | ±5 minutes | Balanced |
| 60 minutes | ±60 minutes | More tolerant, larger windows |
Best Practices
- Use NTP: Ensure all endpoints sync with reliable time servers
- Monitor Failures: Log deobfuscation failures to detect clock drift
- Key Management: Implement secure key generation and exchange
- Logging: Use debug-level logging in development, info in production
Relationship to Other Modules
- Depends on:
packet/(for packet transformation types),@hyperfrontend/cryptography - Used by:
protocol/(composes the security suite)
See Also
- Library Index - All modules
- Architecture Guide - Security architecture
Related Modules
| Module | Relationship |
|---|---|
| protocol/ | Composes security suite |
| packet/ | Packet transformations using security |
| packet/security/encryption/ | Encryption implementations |
| packet/security/obfuscation/ | Obfuscation implementations |
API Reference
◈ Interfaces
Suite of encryption operations for packets
Handler for first message scenarios where no encryption key exists yet.
In the dynamic key exchange protocol, the first message is sent without encryption (only obfuscation) because no shared key has been established yet. This handler provides methods to serialize/deserialize packets without the encryption step.
In the dynamic key exchange protocol, the first message is sent without encryption (only obfuscation) because no shared key has been established yet. This handler provides methods to serialize/deserialize packets without the encryption step.
Properties
§
readonly deserializeWithoutDecryption:(packet: UnserializedEncryptedPacket) => Promise<UnencryptedPacket<T>>— Deserializes a packet that was sent without encryption. Used when receiving the first message before key exchange.
§
readonly serializeWithoutEncryption:(packet: UnencryptedPacket<T>) => Promise<UnserializedEncryptedPacket>— Serializes an unencrypted packet for transmission without encryption. Used when sending the first message before key exchange.
Suite of obfuscation operations for packets
Combined encryption and obfuscation security suite
Properties
◆ Types
Password-bound packet decryption function
type PacketDecryption = (packet: UnserializedEncryptedPacket) => Promise<UnencryptedPacket<T>>Password-bound packet deobfuscation function
type PacketDeobfuscation = (packet: ObfuscatedPacket) => Promise<SerializedEncryptedPacket>Password-bound packet encryption function
type PacketEncryption = (packet: UnencryptedPacket<T>) => Promise<UnserializedEncryptedPacket>Password-bound packet obfuscation function
type PacketObfuscation = (packet: SerializedEncryptedPacket) => Promise<ObfuscatedPacket>