Cybersecurity & Safety — CryptPeer® threat model, crypto, compliance

Cyber positioning (30 seconds)

Confidentiality: end-to-end encryption and minimization of exposed information.
Integrity: authenticated encryption (e.g., AES‑GCM) and local verification.
Availability: resilient architectures (P2P, autonomous bubbles, continuity) and reduced external dependencies.
Non-traceability: design choices that reduce exploitable metadata and tracking.

Threat model

CryptPeer^® aims to reduce technical and operational risks for sensitive contexts (critical orgs, NGOs, air‑gap, etc.).

MITM — E2E protections and authentication.
APT / insider — attack-surface reduction and a “server transports” doctrine.
Server compromise — goal: server is never a plaintext source.
Replay / tampering — authentication tags and random IV/nonce.
DDoS — resilience mechanisms depending on deployment modes.
Cloud AI leakage — language assistance is designed to run on your own infrastructure (no external AI/translation calls).

Account security

TOTP 2FA: can be enabled per account. Compatible with TOTP tools, including PassCypher HSM PGP and PassCypher NFC HSM.

Cryptography (references)

For accuracy, detailed primitives and mechanisms are documented in the specifications.

AES‑256‑GCM (authenticated encryption)
PBKDF2‑HMAC‑SHA‑256 (local derivation)
HKDF, SHA‑256, SHA‑3 (hardening)
Quantum resilience by design: symmetric-primitive-based approach.

Cryptographic specifications →

Compliance alignment

Cyber Resilience Act (CRA)
EU Declaration of Conformity (CRA)
GDPR, NIS2, DORA (scope depends on the licensee’s context)
Dual-use: defensive-use doctrine (explicit references in the glossary).

cryptpeer.com website security

CryptPeer^® applies the same security-by-design principles to its presentation website. Goal: make it a reference in the field, even for a static site.

HTTPS enforced — all traffic is encrypted (TLS). HSTS enabled to force secure connections.
Security headers — anti-clickjacking, MIME sniffing, referrer leak protection. Restrictive Content Security Policy (CSP).
Minimal attack surface — 100 % static site, no database, no server-side data processing.
Zero tracking — no analytics, no marketing trackers. CookieSafe™ for local, transparent consent.
Controlled external resources — integrity checks (SRI) on CDN assets. External links secured (noopener).

Site security reflects our commitment: a secure communication product must itself follow best practices.

Transparency

Product transparency is ensured via deliverables and release notes (rather than a detailed public roadmap).

Release notes →