Expand description
Security module for HIVE-BTLE
Provides two layers of encryption:
§Phase 1: Mesh-Wide Encryption
All formation members share a secret and can encrypt/decrypt documents. Protects against external eavesdroppers.
ⓘ
use hive_btle::security::MeshEncryptionKey;
let secret = [0x42u8; 32];
let key = MeshEncryptionKey::from_shared_secret("DEMO", &secret);
let encrypted = key.encrypt(b"document").unwrap();§Phase 2: Per-Peer E2EE
Two specific peers establish a unique session via X25519 key exchange. Only sender and recipient can decrypt - other mesh members cannot.
ⓘ
use hive_btle::security::PeerSessionManager;
use hive_btle::NodeId;
let mut alice = PeerSessionManager::new(NodeId::new(0x11111111));
let mut bob = PeerSessionManager::new(NodeId::new(0x22222222));
// Key exchange
let alice_msg = alice.initiate_session(NodeId::new(0x22222222), now_ms);
let (bob_response, _) = bob.handle_key_exchange(&alice_msg, now_ms).unwrap();
alice.handle_key_exchange(&bob_response, now_ms).unwrap();
// Now Alice and Bob can communicate securely
let encrypted = alice.encrypt_for_peer(NodeId::new(0x22222222), b"secret", now_ms).unwrap();
let decrypted = bob.decrypt_from_peer(&encrypted, now_ms).unwrap();§Encryption Layers
┌─────────────────────────────────────────────────────────────────┐
│ Phase 1: Mesh-Wide (Formation Key) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ All formation members can decrypt │ │
│ │ Protects: External eavesdroppers │ │
│ │ Overhead: 30 bytes │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Phase 2: Per-Peer E2EE (Session Key) │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Only sender + recipient can decrypt │ │
│ │ Protects: Other mesh members, compromised relays │ │
│ │ Overhead: 44 bytes │ │
│ └─────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘Structs§
- Decoded
Payload - Decoded signed payload
- Device
Identity - A device’s cryptographic identity
- Encrypted
Document - An encrypted HIVE document
- Ephemeral
Key - An ephemeral X25519 keypair for forward secrecy
- Identity
Attestation - An identity attestation proving ownership of a node_id
- Identity
Record - Record of a known identity
- Identity
Registry - TOFU Identity Registry
- KeyExchange
Message - Key exchange message sent to initiate or respond to E2EE session
- Membership
Token - A membership token binding a device to a callsign within a mesh
- Memory
Storage - In-memory storage for testing.
- Mesh
Credentials - Shareable mesh credentials (without creator’s private key)
- Mesh
Encryption Key - Mesh-wide encryption key for HIVE documents
- Mesh
Genesis - Genesis event for creating a new mesh
- Peer
Encrypted Message - An encrypted peer-to-peer message
- Peer
Identity Key - A long-term X25519 keypair for peer identity
- Peer
Session - A per-peer E2EE session
- Peer
Session Key - Session key for per-peer E2EE encryption
- Peer
Session Manager - Manager for all per-peer E2EE sessions
- Persisted
State - Complete persisted state for a HIVE node.
- Shared
Secret - Raw shared secret from X25519 key exchange
- Signed
Payload - Signed payload encoding and verification utilities
Enums§
- Encryption
Error - Errors that can occur during encryption/decryption
- Identity
Error - Errors that can occur during identity operations
- Membership
Policy - Membership policy controlling how nodes can join the mesh
- Persistence
Error - Errors that can occur during persistence operations.
- Registry
Result - Result of identity verification
- Session
State - Session state in the E2EE handshake
Constants§
- DEFAULT_
MAX_ SESSIONS - Maximum number of concurrent peer sessions
- DEFAULT_
SESSION_ TIMEOUT_ MS - Default session timeout (30 minutes)
- MAX_
CALLSIGN_ LEN - Maximum callsign length (null-padded in wire format)
- MESH_
ID_ SIZE - Size of mesh_id in bytes (matches MeshGenesis 8-char hex = 4 bytes)
- MIN_
WIRE_ SIZE - Minimum wire size: marker (1) + signature (64)
- PERSISTED_
STATE_ VERSION - Current version of the persisted state format.
- SIGNATURE_
SIZE - Signature size in bytes (Ed25519)
- TOKEN_
WIRE_ SIZE - Total wire size of a MembershipToken
Traits§
- Secure
Storage - Platform-agnostic secure storage abstraction.
Functions§
- node_
id_ from_ public_ key - Derive NodeId from a public key
- verify_
signature - Verify a signature from a known public key