@archonite/archonite-signed-payload
v0.1.0
Published
Secure payload encryption in compliance to Archonite Signed Payload protocol.
Maintainers
nathannesteinReadme
@archonite/archonite-signed-payload
A high-performance, security-hardened library for serializing, encrypting, and transmitting JSON data. It combines Google Protobuf for compact serialization, Argon2id for password-based key derivation, and AES-256-GCM for authenticated encryption.
🛡️ Security Architecture
The library follows a strict cryptographic pipeline to ensure data integrity and confidentiality:
- Serialization: JSON is converted to a binary Protobuf structure to reduce size and enforce schema consistency.
- Key Derivation: Uses Argon2id (the winner of the Password Hashing Competition) with a 64MB memory cost to derive a 256-bit key, making brute-force attacks extremely expensive.
- Encryption: Uses AES-256-GCM (Galois/Counter Mode). This provides Authenticated Encryption, ensuring that if even a single bit of the payload is tampered with, decryption will fail.
- Binding: The salt is bound to the ciphertext as AAD (Additional Authenticated Data), preventing salt-substitution attacks.
🚀 Features
- Compact Binary Format: Leverages Protobuf for smaller over-the-wire payloads compared to raw JSON.
- Time-Limited Access: Built-in expiration validation. Decryption fails automatically if the payload has expired.
- Hardened KDF: Protects against GPU/ASIC cracking attempts using Argon2id.
- Tamper Proof: Authenticated encryption ensures data has not been modified in transit.
- TypeScript Ready: Full type safety and IDE autocompletion.
📦 Installation
npm install @archonite/archonite-signed-payloadNote: This package requires argon2 as a peer dependency. Ensure your environment supports building native C++ modules.
🛠️ Usage
1. Create and Encrypt a Payload
Use this on the client or the service generating the secure message.
import { createArchonitePayload } from '@archonite/archonite-signed-payload';
// 1 hour from now
const expiration = new Date(Date.now() + 1000 * 60 * 60);
const passphrase = "a-very-strong-secret-phrase";
const data = {
userId: "user_01HRA",
action: "SYSTEM_ACCESS",
permissions: ["read", "write"]
};
const encryptedPayload = await createArchonitePayload(
passphrase,
expiration,
data
);
console.log(encryptedPayload);2. Decode and Verify a Payload
Use this on the receiving server to validate and read the data.
import { decodeArchonitePayload } from '@archonite/archonite-signed-payload';
try {
const decryptedData = await decodeArchonitePayload(
passphrase,
encryptedPayload
);
// "user_01HRA"
console.log(decryptedData.userId);
} catch (error) {
// Fails if: wrong passphrase, tampered data, or payload expired
console.error("Access Denied:", error.message);
}
3. Transmit to an API
A utility function to POST the payload with the correct headers.
import { sendArchonitePayload } from '@archonite/archonite-signed-payload';
const result = await sendArchonitePayload(
'https://api.example.com/secure-endpoint',
encryptedPayload
);
📊 Binary Structure
The generated string is a Base64 encoding of the following binary sequence:
| Offset (Bytes) | Length | Component | Description |
| --- | --- | --- | --- |
| 0 | 7 | Prefix | Magic bytes: ARCHON- |
| 7 | 16 | Salt | Random salt for Argon2id |
| 23 | 32 | IV | Initialization Vector for AES |
| 55 | 16 | Tag | GCM Authentication Tag |
| 71 | Variable | Ciphertext | AES-256-GCM Encrypted Protobuf |
⚙️ Configuration Constants
The library uses the following security parameters:
- KDF: Argon2id
- Memory Cost: 64 MB ( KB)
- Time Cost: 3 iterations
- Parallelism: 1
- Cipher: AES-256-GCM
- IV Length: 32 bytes (High entropy)
📄 License
MIT © Archonite Organization