The Crypto Transit Engine is a zero-dependency, production-ready architectural simulation demonstrating transport-layer confidentiality, forward-secure session negotiation, and Public Key Infrastructure (PKI) provenance.
This engine models how to establish secure cryptographic communication channels across untrusted network perimeters, strictly mitigating Man-in-the-Middle (MITM) exploits, protocol downgrades, and identity impersonation risks in alignment with modern TLS 1.3 design patterns.
The system orchestrates the lifecycle of secure transport data across three isolated cryptographic layers.
sequenceDiagram
autonumber
actor Client as Client Browser / Node App
actor Server as Secure Server Endpoint
actor CA as Certificate Authority (Trust Anchor)
Note over Server, CA: 1. Identity Attestation Phase
Server->>CA: Submit CSR (Identity Parameters)
CA-->>Server: Sign & Issue X.509-like Certificate (Ed25519 Signature + Unique Serial)
Note over Client, Server: 2. Ephemeral Handshake Phase
Client->>Server: Initialize Session Request
Server-->>Client: Present Identity Certificate + Ephemeral ECDH Public Key
Client->>Client: Fetch & Parse CRL Snapshot (Check Serial Exclusions)
Client->>Client: Verify Ed25519 Trust Signature against CA Root Key
Client->>Server: Send Client Ephemeral ECDH Public Key
Note over Client, Server: 3. Key Derivation & Cryptographic Isolation
Client->>Client: Compute ECDH Master Secret
Server->>Server: Compute ECDH Master Secret
Client->>Client: Pass Master Secret through HKDF-SHA256 -> Derive AES-256-GCM Session Key
Server->>Server: Pass Master Secret through HKDF-SHA256 -> Derive AES-256-GCM Session Key
Note over Client, Server: 4. Secure AEAD Data Transmission
Client->>Server: Transmit TransportFrame { Ciphertext, 12-byte IV, 16-byte Auth Tag }
Note over Client, Server: [Adversary Mutates Bit on Wire (MitM Attack)]
Server->>Server: Execute GCM Integrity Verification
Note over Server: CRITICAL FAILURE: Auth Tag Invalid -> Session Dropped Instantly
-
Ephemeral Key Exchange & PFS (ECDHE)
Protects historical communication channels against future infrastructure compromise. By utilizing Elliptic Curve Diffie-Hellman Ephemeral (prime256v1) exchanges, symmetric keys are generated dynamically per TCP connection state and are immediately zeroized upon session termination. Even if a long-term CA private signing key is compromised later, past traffic remains undecryptable.
-
Strict Cipher Suite Negotiation
Eliminates protocol downgrade attacks. The engine strictly enforces a curated subset of modern cryptographic primitives, explicitly rejecting broken legacies like RSA key exchange, static Diffie-Hellman, and insecure hashing mechanisms (SHA-1/MD5).
-
Trust Chain Verification & Revocation (X.509 PKI)
Enforces cryptographic provenance. Communication is dropped unless the remote endpoint presents an authentic certificate signed by a trusted root Certificate Authority. Endpoints also evaluate a cryptographically signed Certificate Revocation List (CRL) by tracking serial numbers to catch compromised nodes in real time.
When executing the master pipeline (npm start), the console clears and renders a standardized JSON event stream. The example below illustrates what the engine outputs and how it actively defeats threats.
Plaintext
=================================================
Crypto Transit Engine: Hardened Ecosystem
=================================================
[1] SYSTEM STARTUP -> Key Pairs Hydrated & X.509 Certificate Issued
└─ Serial: SN-2026-0089 | Alg: Ed25519
[SIEM AUDIT] {
"timestamp": "2026-05-29T09:09:20.395Z",
"event": "SESSION_ESTABLISHED",
"status": "SUCCESS",
"details": {
"cipher": "aes-256-gcm",
"keyExchange": "ecdhe-p256",
"serialVerified": "SN-2026-0089"
}
}
▲ ANALYSIS: Client successfully cross-computed matching master secrets, extracted the key via HKDF, and verified the server identity certificate chain.
[Simulation] Adversary intercepting communication line...
[Server] Processing incoming frame...
[SIEM AUDIT] {
"timestamp": "2026-05-29T09:09:20.399Z",
"event": "TRANSMISSION_INTEGRITY_VIOLATION",
"status": "ALERT",
"details": {
"reason": "Unsupported state or unable to authenticate data",
"action": "SESSION_TERMINATED_IMMEDIATELY"
}
}
▲ ANALYSIS: An active MitM adversary introduced a 1-bit modification to the ciphertext. The AES-GCM engine caught the tag mismatch and dropped the payload before decryption.
[Simulation] Revoking Server Certificate authority access due to key exposure suspicion...
[Client] Re-establishing transport loop context with server endpoint...
[PKI ERROR] Certificate Serial SN-2026-0089 is REVOKED.
[SIEM AUDIT] {
"timestamp": "2026-05-29T09:09:20.401Z",
"event": "CERTIFICATE_VALIDATION_REJECTED",
"status": "FAILURE",
"details": {
"serial": "SN-2026-0089",
"status": "REVOKED_ON_CRL"
}
}
▲ ANALYSIS: Administrative CRL synchronization complete. The client identified the server's blacklisted serial number and killed the session request during handshaking.
- Regulatory Compliance: Engineered in strict alignment with NSM (Nasjonal sikkerhetsmyndighet) cryptographic recommendations for data in transit, explicitly mandating authenticated encryption with associated data (AEAD) and forward-secure negotiation curves.
- Vulnerability Mitigation: Features explicit correction for array buffer reference zero-key vulnerabilities during KDF extraction phases, guaranteeing high-entropy operational key spaces.
- Crypto-Agility: Transport layers are structurally decoupled from specific curves and hash functions, allowing seamless hot-swapping to post-quantum cryptography (PQC) transport standards.
- Node.js v20.x or higher
- TypeScript v5.x or higher
Clone the repository and install the dependencies:
npm installTo invoke the TypeScript compiler and run the real-time security dashboard simulation, execute:
npm start