signed-crypto 0.1.0

A Rust library for encrypted payloads with built-in integrity verification
Documentation

signed-crypto

A Rust library for encrypted payloads with built-in integrity verification.

Overview

signed-crypto provides a secure way to encrypt and transmit arbitrary data payloads. Each encrypted package includes:

  • Confidentiality via AES-256 CTR encryption
  • Integrity via HMAC-SHA256 signatures
  • Metadata via embedded timestamps and server identifiers
  • Transparency via URL-safe Base64 encoding

Installation

[dependencies]
signed-crypto = "0.1"

Quick Start

use signed_crypto::{Crypto, Keys};

let keys = Keys::new(&enc_key, &integrity_key)?;
let crypto = Crypto::new(keys);

// Encrypt
let mut pkg = crypto.init_plain_data(payload.len(), None)?;
crypto.set_payload(&mut pkg, payload)?;
let encrypted = crypto.encrypt(&pkg)?;
let encoded = crypto.encode(&encrypted);

// Decrypt
let decoded = crypto.decode(&encoded)?;
let decrypted = crypto.decrypt(&decoded)?;

Package Format

┌────────────────────┬─────────────────────┬────────────┐
│ IV (16 bytes)      │ Encrypted Payload   │ HMAC (4B)  │
│ timestamp + srv_id │ AES-256/CTR         │            │
└────────────────────┴─────────────────────┴────────────┘

Overhead: 20 bytes per package.

Features

  • Authenticated Encryption — AES-256 + HMAC-SHA256
  • Wire-Safe — URL-safe Base64 encoding
  • Metadata — Timestamp and server ID in IV
  • Zero-Copy — Efficient payload access

Security Notes

  • Use unique IVs for each encryption (automatic with init_plain_data)
  • Rotate keys periodically
  • 4-byte HMAC is suitable for integrity, not adversarial environments

Acknowledgments

Inspired by Google's DoubleClick crypto implementation: https://github.com/google/openrtb-doubleclick/blob/master/doubleclick-core/src/main/java/com/google/doubleclick/crypto/DoubleClickCrypto.java

License

Copyright 2026, Kehan Pan, All rights reserved.