Payload Encryption Protocol
PEP is a simple payload encryption protocol, providing authentication, confidentiality and integrity of messages sent over HYKER services.
PEP is a payload encryption protocol, providing authentication, confidentiality and integrity of messages sent over Hyker services.
PEP uses ECDH(E)-RSA key agreement to establish a session key. Once a session key has been established, the Cryptobox uses this key in an AES-256-GCM cipher to encrypt the payload.
This is not something a PEP user will have to deal with. The PEP library will intercept outgoing and incoming messages, inject handshake messages and perform cryptography.
A key agreement between two clients is performed using ECDH(E)-RSA. This provides Perfect Forward Secrecy (PFS) while keeping authentication since the ephemeral keys are signed with the owners private RSA key. The RSA key can be trusted since PEP uses the Hyker Key Distribution System.
There is also an option to encrypt directly using the long term keys for increased efficency, this will however not provide PFS.
Depeding on the use case, some of the artifacts might be cached to provide better efficiency. After a session has been negotiated it can, if configured, be cached for a specified amount of time before re-keying.