Module encryption

adaptive_pipeline::infrastructure::adapters

Module encryption 

Source
Expand description

Encryption service adapter

§Encryption Service Implementation

This module is part of the Infrastructure layer, providing concrete implementations of domain interfaces (ports).

This module provides the concrete implementation of the encryption service interface for the adaptive pipeline system. It implements various encryption algorithms with secure key management, authenticated encryption, and comprehensive error handling.

§Overview

The encryption service implementation provides:

  • Multi-Algorithm Support: AES-256-GCM, ChaCha20-Poly1305, AES-128-GCM, AES-192-GCM
  • Secure Key Management: Automatic key zeroization and secure memory handling
  • Key Derivation: Argon2, Scrypt, and PBKDF2 key derivation functions
  • Authenticated Encryption: Built-in integrity verification and authentication
  • Parallel Processing: Multi-threaded encryption for improved performance

§Architecture

The implementation follows the infrastructure layer patterns:

  • Service Implementation: MultiAlgoEncryption implements domain interface
  • Algorithm Handlers: Specialized handlers for each encryption algorithm
  • Key Management: Secure key generation, derivation, and storage
  • Memory Security: Automatic zeroization of sensitive data

§Security Features

§Authenticated Encryption

All encryption algorithms provide authenticated encryption with associated data (AEAD):

  • Confidentiality: Data is encrypted and unreadable without the key
  • Integrity: Tampering is detected through authentication tags
  • Authentication: Verifies data origin and prevents forgery

§Key Derivation Functions

Secure key derivation from passwords or key material:

  • Argon2: Memory-hard function resistant to GPU attacks
  • Scrypt: Memory-hard function with tunable parameters
  • PBKDF2: Standard key derivation with configurable iterations

§Memory Security

Sensitive data is protected in memory:

  • Automatic Zeroization: Keys are securely wiped from memory
  • Secure Storage: Minimal exposure of sensitive material
  • Drop Safety: Automatic cleanup on scope exit

§Supported Algorithms

§AES-256-GCM

  • Key Size: 256 bits (32 bytes)
  • Nonce Size: 96 bits (12 bytes)
  • Performance: Excellent on modern CPUs with AES-NI
  • Security: Industry standard, FIPS approved

§ChaCha20-Poly1305

  • Key Size: 256 bits (32 bytes)
  • Nonce Size: 96 bits (12 bytes)
  • Performance: Consistent across all platforms
  • Security: Modern stream cipher, constant-time implementation

§AES-128-GCM / AES-192-GCM

  • Key Size: 128/192 bits (16/24 bytes)
  • Nonce Size: 96 bits (12 bytes)
  • Performance: Faster than AES-256, still highly secure
  • Security: Suitable for most applications

§Performance Optimizations

§Parallel Processing

The implementation uses Rayon for parallel processing:

  • Chunk Parallelization: Multiple chunks processed simultaneously
  • Key Derivation: Parallel key derivation where supported
  • Thread Pool Management: Efficient thread utilization

§Hardware Acceleration

  • AES-NI: Hardware acceleration for AES algorithms
  • Vectorization: SIMD instructions for improved performance
  • Constant-Time: Algorithms resistant to timing attacks

§Error Handling

Comprehensive error handling for:

  • Encryption Failures: Algorithm-specific error conditions
  • Key Derivation Errors: Invalid parameters or insufficient entropy
  • Authentication Failures: Tampering detection during decryption
  • Memory Errors: Secure memory allocation failures

§Integration

The service integrates with:

  • Domain Layer: Implements EncryptionService trait
  • Security Context: Access control and security policies
  • Pipeline Processing: Chunk-based processing workflow
  • Metrics Collection: Performance monitoring and statistics

Structs§

MultiAlgoEncryption
Concrete implementation of the encryption service