Jarvas Cryptography Suite: Complete Guide to Features and Use Cases

from jarvas_crypto import kex, symmetric, kdf ephemeral = kex.generate_x25519_keypair() shared = kex.derive_shared(ephemeral.private, recipient_public) dek = kdf.hkdf(shared, length=32, info=b'jarvas-hybrid') ciphertext, tag, nonce = symmetric.encrypt_aes_gcm(dek, plaintext) # send ephemeral.public.to_bytes() + nonce + tag + ciphertext 

Signing and Verification

Ed25519 signing (fast, safe for signatures) — Python:

from jarvas_crypto import signing signature = signing.sign_ed25519(ed_keypair.private, b"message") ok = signing.verify_ed25519(ed_keypair.public, b"message", signature) 

Node.js:

const { signing } = require('@jarvas/crypto'); const sig = signing.signEd25519(privateKey, Buffer.from('message')); const ok = signing.verifyEd25519(publicKey, Buffer.from('message'), sig); 

Example: Secure API Payloads (End-to-End)

A typical pattern for securing API payloads:

1. Client generates ephemeral key pair (X25519).
2. Client derives symmetric key (HKDF) using recipient public key.
3. Client encrypts JSON payload with AES-GCM; computes signature if non-repudiation is required.
4. Client sends ephemeral public key, ciphertext, nonce, tag, and optional signature.
5. Server derives same symmetric key, decrypts, and verifies signature.

This pattern removes the need to transmit long-term private keys and provides forward secrecy if ephemeral keys are short-lived.

Key Rotation, Revocation, and Backups

• Plan key rotation windows (e.g., rotate symmetric DEKs quarterly, rotate asymmetric keys yearly).
• Maintain a key registry with version identifiers in encrypted metadata so older ciphertexts can still be decrypted if necessary.
• Re-encrypt archived data under new DEKs during rotation when feasible.
• Maintain secure, offline backups of master keys or escrow keys in an HSM or secure vault.

Performance and Safety Tips

• Use AEAD modes (AES-GCM, ChaCha20-Poly1305) for combined confidentiality and integrity.
• Prefer Ed25519 and X25519 over older curves/RSA for smaller keys and simpler implementations.
• Use Argon2 or high-iteration PBKDF2 for password-derived keys; choose parameters based on your threat model and target hardware.
• Avoid hand-rolling cryptographic primitives. Use Jarvas’s high-level APIs for common patterns.
• Test for side-channel and timing leaks in any custom code paths that handle keys or secrets.

Troubleshooting Common Issues

• Bad decryptions: confirm nonce/IV, tag, associated data, and correct key are used.
• Interoperability issues: ensure same serialization (PEM vs JWK), byte-ordering, and curve parameters.
• Permission errors when accessing hardware keystores: check OS-level permissions and service availability.

Further Reading and Next Steps

• Review Jarvas API docs for language-specific options and configuration.
• Audit your threat model and map Jarvas features to your security goals (confidentiality, integrity, availability).
• Integrate with HSMs or cloud KMS for production key storage.
• Add automated tests for encryption/decryption, signature verification, and key rotation scenarios.

If you want, I can: generate ready-to-run sample projects for Python or Node.js, produce a diagram of the hybrid encryption flow, or write an example test suite for key rotation. Which would you like?