Enhance README and refactor encryption handling. Update documentation to reflect automatic transport-level encryption via libp2p's Noise protocol, removing manual encryption options from the CLI. Refactor code to eliminate deprecated encryption parameters and streamline file transfer processes. Ensure all communications are securely encrypted by default.

Author: taisirhassan

README.md

@@ -1,16 +1,26 @@
 # CipherStream
 
-CipherStream is a secure P2P file transfer application built with Rust and libp2p. It allows users to send files directly to other peers on the network with optional end-to-end encryption.
+CipherStream is a secure P2P file transfer application built with Rust and libp2p. It allows users to send files directly to other peers on the network with **automatic transport-level encryption** via libp2p's Noise protocol.
 
 ## Features
 
 - **Peer-to-Peer Architecture**: Direct file transfers between peers without any central server
-- **End-to-End Encryption**: Optional AES-256-GCM encryption for secure file transfers
+- **Automatic Transport Security**: Built-in encryption using libp2p's Noise protocol for all communications
 - **Auto Discovery**: Local network peer discovery using mDNS
-- **Reliable Transfers**: Chunked file transfer with checksums
+- **Reliable Transfers**: Chunked file transfer with progress tracking
 - **Cross-Platform**: Works on macOS, Linux, and Windows
 - **Command-Line Interface**: Easy-to-use commands for sending and receiving files
 
+## Security
+
+CipherStream leverages **libp2p's Noise protocol** for automatic transport-level encryption. This means:
+
+- All communications between peers are automatically encrypted
+- No need to manually enable encryption - it's always on
+- Uses industry-standard cryptographic protocols
+- Peer authentication and secure key exchange are handled automatically
+- Transport security is transparent to the user
+
 ## Installation
 
 ### Prerequisites
@@ -51,13 +61,14 @@ Options:
 To send a file to another peer:
 
 ```bash
-cipherstream send --peer <PEER_ID> --file <FILE_PATH> [--encrypt]
+cipherstream send --peer <PEER_ID> --file <FILE_PATH>
 ```
 
 Options:
 - `--peer <PEER_ID>`: The peer ID of the receiving node
 - `--file <FILE_PATH>`: Path to the file to send
-- `--encrypt`: Enable end-to-end encryption
+
+**Note**: All file transfers are automatically encrypted via libp2p's transport security.
 
 ### Examples
 
@@ -71,19 +82,14 @@ Options:
    cipherstream send --peer 12D3KooWB8rRTvkEnEpSvfGYEUkgpNtnEfwYzpnqCMgTRo7LghDz --file ~/Documents/report.pdf
    ```
 
-3. Send an encrypted file:
-   ```bash
-   cipherstream send --peer 12D3KooWB8rRTvkEnEpSvfGYEUkgpNtnEfwYzpnqCMgTRo7LghDz --file ~/Documents/confidential.pdf --encrypt
-   ```
-
 ## Architecture
 
 CipherStream is built on top of the libp2p networking stack and uses several components:
 
-- **Network**: Handles connections, peer discovery and communication using libp2p
-- **Crypto**: Provides encryption, decryption, and file hashing functionality
+- **Network**: Handles connections, peer discovery and communication using libp2p with Noise protocol for security
 - **Protocol**: Defines the messages exchanged during file transfers
-- **File Transfer**: Manages the actual file transfer operations
+- **File Transfer**: Manages the actual file transfer operations with chunking and progress tracking
+- **Discovery**: Uses mDNS for local peer discovery and Kademlia DHT for broader network discovery
 
 The application uses asynchronous Rust with Tokio runtime for handling concurrent operations.
 

logs/cipherstream_node.2025-05-22

@@ -1,5 +1,5 @@
 use ring::{
-    aead::{self, Aad, BoundKey, Nonce, NonceSequence, SealingKey, UnboundKey, AES_256_GCM},
+    aead::{self, UnboundKey, AES_256_GCM},
     rand::{SecureRandom, SystemRandom},
     signature::{self, Ed25519KeyPair, KeyPair},
     digest,
@@ -69,22 +69,20 @@ pub fn generate_key() -> Result<Vec<u8>, CryptoError> {
 
 /// Encrypt data with AES-256-GCM
 pub fn encrypt(data: &[u8], key: &[u8]) -> Result<Vec<u8>, CryptoError> {
-    // Create nonce and prepend it to the output
+    // Generate a random nonce
     let mut nonce_bytes = [0u8; 12];
     let rng = SystemRandom::new();
     rng.fill(&mut nonce_bytes).map_err(|_| CryptoError::Encryption)?;
-
-    // Setup the encryption
+    
     let unbound_key = UnboundKey::new(&AES_256_GCM, key).map_err(|_| CryptoError::InvalidKey)?;
-    let nonce_sequence = FixedNonce::new(nonce_bytes);
-    let mut sealing_key = SealingKey::new(unbound_key, nonce_sequence);
-
-    // Encrypt the data
-    let aad = Aad::empty();
+    let aead_key = aead::LessSafeKey::new(unbound_key);
+    let nonce = aead::Nonce::assume_unique_for_key(nonce_bytes);
+    
     let mut in_out = data.to_vec();
-    sealing_key.seal_in_place_append_tag(aad, &mut in_out).map_err(|_| CryptoError::Encryption)?;
-
-    // Prepend the nonce
+    aead_key.seal_in_place_append_tag(nonce, aead::Aad::empty(), &mut in_out)
+        .map_err(|_| CryptoError::Encryption)?;
+    
+    // Prepend nonce to encrypted data
     let mut result = nonce_bytes.to_vec();
     result.extend_from_slice(&in_out);
 
@@ -149,23 +147,6 @@ pub fn verify_signature(message: &[u8], signature: &[u8], public_key: &[u8]) ->
     }
 }
 
-// A fixed nonce for AES-GCM
-struct FixedNonce {
-    nonce_bytes: [u8; 12],
-}
-
-impl FixedNonce {
-    fn new(nonce_bytes: [u8; 12]) -> Self {
-        Self { nonce_bytes }
-    }
-}
-
-impl NonceSequence for FixedNonce {
-    fn advance(&mut self) -> Result<Nonce, ring::error::Unspecified> {
-        Ok(Nonce::assume_unique_for_key(self.nonce_bytes))
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;

src/crypto/mod.rs

@@ -32,7 +32,6 @@ pub enum SwarmCommand {
     SendFile {
         peer_id: PeerId,
         file_path: String,
-        encrypt: bool,
     },
 }
 
@@ -162,12 +161,11 @@ pub fn dial_peer(peer_id: PeerId) -> Result<(), Box<dyn std::error::Error>> {
 }
 
 /// Send a file to a peer
-pub fn send_file(peer_id: PeerId, file_path: String, encrypt: bool) -> Result<(), Box<dyn std::error::Error>> {
+pub fn send_file(peer_id: PeerId, file_path: String) -> Result<(), Box<dyn std::error::Error>> {
     if let Some(tx) = get_swarm_channel() {
         let _ = tx.try_send(SwarmCommand::SendFile {
             peer_id,
             file_path,
-            encrypt,
         });
         Ok(())
     } else {

src/discovery/mod.rs

@@ -39,7 +39,6 @@ pub enum ProtocolRequest {
     HandshakeRequest {
         filename: String,
         filesize: u64,
-        encrypted: bool,
         transfer_id: String,
     },
     /// File data chunk request

src/file_transfer/types.rs

@@ -44,10 +44,6 @@ enum Commands {
         /// Peer ID to send to
         #[arg(short, long)]
         peer: String,
-        
-        /// Encrypt the file before sending
-        #[arg(short, long)]
-        encrypt: bool,
     },
     /// Connect to a specific peer
     Connect {
@@ -103,9 +99,9 @@ async fn main() -> Result<(), Box<dyn Error>> {
             info!("Starting node on port {}...", port);
             if let Err(e) = network::start_node(port, Some(data_dir)).await {
                 error!("Node failed to start: {}", e);
-            }
         }
-        Commands::Send { file, peer, encrypt } => {
+    }
+        Commands::Send { file, peer } => {
             if !file.exists() {
                 error!("File does not exist: {:?}", file);
                 return Err("File not found".into());
@@ -119,24 +115,23 @@ async fn main() -> Result<(), Box<dyn Error>> {
                     return Err("Invalid peer ID format".into());
                 }
             };
-            
+    
             // We need to start a temporary node to send the file
             println!("Starting temporary node to send file...");
 
             // First generate a peer ID for our temporary node
             let (local_peer_id, _local_key) = network::generate_peer_id();
             println!("Temporary node ID: {}", local_peer_id);
-            
+    
             // Start a swarm with a single purpose - to send this file
             let file_path = file.to_string_lossy().to_string();
 
             println!("Initiating file transfer for {} to {}", file_path, peer_id);
-            println!("Encryption: {}", if encrypt { "enabled" } else { "disabled" });
 
             // Create a temp node and send the file
             // Use a temporary data directory for the sending node
             let temp_data_dir = format!(".cipherstream_temp_{}", std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).unwrap().as_secs());
-            network::start_temp_node_and_send_file(peer_id, file_path, encrypt, Some(temp_data_dir)).await?;
+            network::start_temp_node_and_send_file(peer_id, file_path, false, Some(temp_data_dir)).await?;
 
             println!("File transfer command completed. Check logs for status.");
         }
@@ -160,7 +155,7 @@ async fn main() -> Result<(), Box<dyn Error>> {
 
             if peers.is_empty() {
                 println!("No peers discovered yet. Start by running the Start command.");
-            } else {
+                        } else {
                 println!("Discovered peers:");
                 for (peer_id, addrs) in peers {
                     println!("Peer: {} at:", peer_id);

src/main.rs

@@ -317,9 +317,9 @@ async fn handle_req_resp_event(
             match message {
                 request_handler::Message::Request { request, channel, .. } => {
                     match request {
-                        ProtocolRequest::HandshakeRequest { filename, filesize, encrypted, transfer_id } => {
-                            info!("🤝 Received HandshakeRequest for '{}' ({} bytes, encrypted: {}, id: {})", 
-                                   filename, filesize, encrypted, transfer_id);
+                        ProtocolRequest::HandshakeRequest { filename, filesize, transfer_id } => {
+                            info!("🤝 Received HandshakeRequest for '{}' ({} bytes, id: {})", 
+                                   filename, filesize, transfer_id);
 
                             // Create download directory if it doesn't exist
                             std::fs::create_dir_all(&download_dir)?;
@@ -398,7 +398,6 @@ async fn send_handshake_request(
     peer_id: &PeerId,
     filename: &str,
     file_path: &str,
-    encrypt: bool,
 ) -> Result<OutboundRequestId, AnyhowError> {
     info!("🤝 Initiating handshake for '{}' with {}", filename, peer_id);
 
@@ -413,7 +412,6 @@ async fn send_handshake_request(
     let request = ProtocolRequest::HandshakeRequest {
         filename: filename.to_string(),
         filesize,
-        encrypted: encrypt,
         transfer_id,
     };
 
@@ -502,10 +500,11 @@ async fn cancel_transfer(
 }
 
 // Update the start_temp_node_and_send_file function to use these new functions
+// Note: libp2p Noise protocol provides transport-level encryption automatically
 pub async fn start_temp_node_and_send_file(
     target_peer_id: PeerId,
     file_path_str: String,
-    encrypt: bool,
+    _encrypt: bool, // Deprecated: libp2p Noise provides encryption
     data_dir: Option<String>,
 ) -> Result<(), AnyhowError> {
     let _start_time = Instant::now();
@@ -584,7 +583,7 @@ pub async fn start_temp_node_and_send_file(
 
                             if !handshake_sent {
                                 info!("🤝 Sending handshake request for file: {}", filename);
-                                match send_handshake_request(&mut swarm, &target_peer_id, &filename, &file_path_str, encrypt).await {
+                                match send_handshake_request(&mut swarm, &target_peer_id, &filename, &file_path_str).await {
                                     Ok(request_id) => {
                                         handshake_sent = true;
                                         handshake_request_id = Some(request_id);