Kad Encrypt

Packet encryption for Kad. Currently only for UDP. Compatible with Kad Spartacus. Node 6.x only.

Usage

Install with NPM.

npm install kad kad-encrypt

Integrate with your Kad project.

var kad = require('kad');
var encrypt = require('kad-encrypt');

// Setup your Contact
var Contact = encrypt.ContactDecorator(
  kad.contacts.AddressPortContact
);

// Load up the transport from encrypt.
// if privateKey is not included a new identity will be created
var transport = encrypt.transports.UDP(Contact({
  address: '127.0.0.1',
  port: 1337,
  privateKey: privateKey
}));

//If you'd like to tie the pubkey to nodeid for attack mitigation:
transport.before('send', encrypt.hooks.verify);

About: Verification / Attack Mitigation

Like Kad Spartacus, Kad Encrypt introduces cryptographic identities using EC. In this case, nodes prove they own their nodeID by successfully decrypting messages with their private EC key and including their public EC in the message. The nodeID is derived from the public key, therefore any node's claimed nodeID can be verified by checking it against the included public key.

Note that Spartacus imposes its requirement on incoming messages, while Encrypt does so with outgoing messages. Either one should be sufficient, since with Encrypt any node lying about their public key (and thus nodeID ownership) will not be able to decrypt any response. Using Kad Spartacus as well would provide additional security for incoming messages (the identities are compatible).

About: Encryption

Outgoing messages are encrypted with a secret derived from an ephemeral EC keypair (generated per-message) and the destination contact's public key. The encryption is done with AES-256-GCM so that tampered messages can be rejected. Messages also include a timestamp in the IV which may prevent replay attacks.