Cybersecurity & Safety — CryptPeer® threat model, crypto, compliance

Cyber positioning (30 seconds)

Confidentiality: end-to-end encryption and minimization of exposed information.
Integrity: authenticated encryption (e.g., AES‑GCM) and local verification.
Availability: resilient architectures (P2P, autonomous bubbles, continuity) and reduced external dependencies.
Non-traceability: design choices that reduce exploitable metadata and tracking.

Threat model

CryptPeer^® aims to reduce technical and operational risks for sensitive contexts (critical orgs, NGOs, air‑gap, etc.).

MITM — E2E protections and authentication.
APT / insider — attack-surface reduction and a “server transports” doctrine.
Server compromise — goal: server is never a plaintext source.
Replay / tampering — authentication tags and random IV/nonce.
DDoS — resilience mechanisms depending on deployment modes.
Cloud AI leakage — language assistance is designed to run on your own infrastructure (no external AI/translation calls).

Account security

TOTP 2FA: can be enabled per account. Compatible with TOTP tools, including PassCypher HSM PGP and PassCypher NFC HSM.

Cryptography (references)

For accuracy, detailed primitives and mechanisms are documented in the specifications.

AES‑256‑GCM (authenticated encryption)
PBKDF2‑HMAC‑SHA‑256 (local derivation)
HKDF, SHA‑256, SHA‑3 (hardening)
Quantum resilience by design: symmetric-primitive-based approach.

Cryptographic specifications →

Compliance alignment

Cyber Resilience Act (CRA)
EU Declaration of Conformity (CRA)
GDPR, NIS2, DORA (scope depends on the licensee’s context)
Dual-use: defensive-use doctrine (explicit references in the glossary).

cryptpeer.com website security

CryptPeer^® applies the same security-by-design principles to its presentation website. Goal: make it a reference in the field, even for a static site.

Security level against current standards

cryptpeer.com is assessed against recognized frameworks for evaluating website cybersecurity:

OWASP Top 10 — applicable criteria (crypto, injection, configuration, integrity) met for a static site.
Security Headers — HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy in place.
Subresource Integrity (SRI) — W3C: integrity of external resources verified.
HSTS preload — cryptpeer.com eligible for major browsers’ preload list (Chrome, Firefox, Edge, Safari). Verify HSTS validity →

Overall level: high — aligned with best practices for a static site.

HTTPS enforced — all traffic is encrypted (TLS). HSTS enabled to force secure connections.
HSTS preload — cryptpeer.com is eligible for the HSTS preload list of major browsers (Chrome, Firefox, Edge, Safari). Verifiable at hstspreload.org.
Security headers — anti-clickjacking (X-Frame-Options), MIME sniffing (X-Content-Type-Options), referrer leak protection (Referrer-Policy). Restrictive Content Security Policy (CSP).
Minimal attack surface — 100 % static site, no database, no server-side data processing. No PHP, no dynamic forms.
Zero tracking — no analytics, no marketing trackers. CookieSafe™ for local, transparent consent.
Controlled external resources — integrity checks (SRI) on CDN assets. External links secured (noopener).

Site security reflects our commitment: a secure communication product must itself follow best practices.

Transparency

Product transparency is ensured via deliverables and release notes (rather than a detailed public roadmap).

Release notes →