Please report security vulnerabilities privately before disclosing them publicly. Do not file public GitHub issues for security problems.
- Email: ceo@snaart.com
- Embargo SLA: 90 days from initial report to public disclosure.
- For ongoing reports, expect an acknowledgement within 5 business days and a triage outcome within 14 business days.
Phantom Core uses GitHub Security Advisories for public CVE coordination.
| Version | Status |
|---|---|
main |
Active development; security fixes land here first. |
0.2.x |
Latest pre-1.0 release; security fixes backported. |
| Earlier | Unsupported. |
Phantom Core is a post-quantum-secure L4/L6 transport. The full threat model
will live in docs/security/threat-model.md (in preparation). At a glance:
- In scope: authenticated key agreement, confidentiality and integrity of application data after handshake, downgrade resistance, DoS-resistance during handshake (cookie + optional PoW), anti-DPI obfuscation (FakeTLS).
- Out of scope: non-repudiation, traffic analysis (timing/size correlation), endpoint compromise, compromise of long-lived server signing keys, supply-chain attacks against the build toolchain.
| Operation | Primitive | FIPS-approved? |
|---|---|---|
| Classical KEM | X25519 | No (no FIPS-approved KEM that uses X25519) |
| Post-quantum KEM | Kyber768 (pqcrypto-kyber) |
No — ML-KEM-768 (FIPS 203) is the approved variant; migration planned |
| Classical signature | Ed25519 (ed25519-dalek) |
Yes (FIPS 186-5) |
| Post-quantum signature | Dilithium3 (pqcrypto-dilithium) |
No — ML-DSA-65 (FIPS 204) is the approved variant; migration planned |
| Symmetric AEAD | AES-256-GCM (ring) |
Yes (when built against a FIPS-validated cryptographic module) |
| Symmetric AEAD (fallback) | ChaCha20-Poly1305 (ring) |
No |
| Hash / KDF | HKDF-SHA-256, blake3 KDF | SHA-256 yes; blake3 no |
A FIPS-compliant build profile (--features fips) is on the roadmap.
The implementation enforces (and integration tests verify) the following invariants:
- Server identity pinning.
PhantomSession::connect_with_transportrequires the client to supply the expectedHybridVerifyingKey. Mismatch aborts the handshake; never weakened toOption<...>without a corresponding caller-side enforcement. - No raw user data after handshake. Every application-data packet has
PacketFlags::ENCRYPTEDset and goes throughSession::encrypt_packet. Non-empty unencrypted packets received post-handshake are dropped (stripped-flag downgrade defense). - FakeTLS uses per-record counter nonces. The outer obfuscation layer derives
send_key/recv_key/nonce_prefixfrom a public seed (SNI + version) viablake3::derive_keywith direction-specific labels, and increments a per-directionu64counter on each record (preventing the Forbidden Attack on AES-GCM).
Future edits must preserve these. See docs/security/threat-model.md
for the full STRIDE / LINDDUN analysis and per-mitigation file:line traceability.
T+0 Vulnerability reported privately
T+5 Acknowledgement
T+14 Triage outcome (accepted / rejected / clarification needed)
T+30 Fix candidate available (depending on severity)
T+45 Coordinated release across affected branches
T+90 Public disclosure with CVE
Phantom Core honors longer embargoes for downstream coordination on request.