A high-performance, security-hardened library for serializing, encrypting, and transmitting JSON data. It combines Google Protobuf for compact serialization, Argon2id for password-based key derivation, and AES-256-GCM for authenticated encryption.
The library follows a strict cryptographic pipeline to ensure data integrity and confidentiality:
- Serialization: JSON is converted to a binary Protobuf structure to reduce size and enforce schema consistency.
- Key Derivation: Uses Argon2id (the winner of the Password Hashing Competition) with a 64MB memory cost to derive a 256-bit key, making brute-force attacks extremely expensive.
- Encryption: Uses AES-256-GCM (Galois/Counter Mode). This provides Authenticated Encryption, ensuring that if even a single bit of the payload is tampered with, decryption will fail.
- Binding: The salt is bound to the ciphertext as AAD (Additional Authenticated Data), preventing salt-substitution attacks.
- Compact Binary Format: Leverages Protobuf for smaller over-the-wire payloads compared to raw JSON.
- Time-Limited Access: Built-in expiration validation. Decryption fails automatically if the payload has expired.
- Hardened KDF: Protects against GPU/ASIC cracking attempts using Argon2id.
- Tamper Proof: Authenticated encryption ensures data has not been modified in transit.
- TypeScript Ready: Full type safety and IDE autocompletion.
npm install @archonite/archonite-signed-payloadNote: This package requires argon2 as a peer dependency. Ensure your environment supports building native C++ modules.
Use this on the client or the service generating the secure message.
import { createArchonitePayload } from '@archonite/archonite-signed-payload';
// 1 hour from now
const expiration = new Date(Date.now() + 1000 * 60 * 60);
const passphrase = "a-very-strong-secret-phrase";
const data = {
userId: "user_01HRA",
action: "SYSTEM_ACCESS",
permissions: ["read", "write"]
};
const encryptedPayload = await createArchonitePayload(
passphrase,
expiration,
data
);
console.log(encryptedPayload);Use this on the receiving server to validate and read the data.
import { decodeArchonitePayload } from '@archonite/archonite-signed-payload';
try {
const decryptedData = await decodeArchonitePayload(
passphrase,
encryptedPayload
);
// "user_01HRA"
console.log(decryptedData.userId);
} catch (error) {
// Fails if: wrong passphrase, tampered data, or payload expired
console.error("Access Denied:", error.message);
}A utility function to POST the payload with the correct headers.
import { sendArchonitePayload } from '@archonite/archonite-signed-payload';
const result = await sendArchonitePayload(
'https://api.example.com/secure-endpoint',
encryptedPayload
);The generated string is a Base64 encoding of the following binary sequence:
| Offset (Bytes) | Length | Component | Description |
|---|---|---|---|
0 |
7 |
Prefix | Magic bytes: ARCHON- |
7 |
16 |
Salt | Random salt for Argon2id |
23 |
32 |
IV | Initialization Vector for AES |
55 |
16 |
Tag | GCM Authentication Tag |
71 |
Variable |
Ciphertext | AES-256-GCM Encrypted Protobuf |
The library uses the following security parameters:
- KDF: Argon2id
- Memory Cost: 64 MB ( KB)
- Time Cost: 3 iterations
- Parallelism: 1
- Cipher: AES-256-GCM
- IV Length: 32 bytes (High entropy)
MIT © Archonite Organization