Experimental Secure Application Protocol.
A purpose-built, binary-encoded, application-layer protocol and complete developer platform designed for secure, low-latency, multiplexed communication over TCP. Built in safe Rust.
Wire Overhead
48B header
Max Payload
16 MB
Key Exchange
X25519
AEAD
AES-256-GCM
HTTPS → Gateway → KSP Architecture
Because native browsers cannot open raw TCP/9876 sockets with custom framing, KSP employs an edge Gateway Reverse Proxy that terminates standard HTTPS/WebSockets and translates them into high-speed, multiplexed KSP v1.0 binary frames.
Web Browser / Mobile Client
Speaks standard HTTPS/WebSockets (TLS 1.3 over TCP 443). Connects seamlessly without requiring custom operating system kernel drivers or modified browser builds.
KSP Edge Gateway Proxy
Written in Rust (`tokio` + `hyper`). Terminates TLS 1.3 from public clients, authenticates bearer/API tokens, and translates HTTP payloads directly into KSP v1.0 binary frames.
KSP Rust Core Daemon
Receives pure KSP binary frames over TCP (`9876/tcp`). Handles up to 256 multiplexed bidirectional streams per connection with sliding-window replay bitmaps and AES-256-GCM AEAD.
Packet → Serialize → Encrypt → Wire → Decrypt Pipeline
Every KSP frame undergoes strict deterministic serialization and cryptographic transformation before touching the network interface. Zero JSON parsing or text serialization overhead.
Application Payload
Raw application struct or stream buffer (`StreamData` frame or control command).
Serialize & Fragment
Encode into binary. If payload > 16,384 bytes, slice across `StreamData` frames (`FRAGMENTED` bit set).
Header & Nonce XOR
Construct 48B fixed header (`Magic 0x4B535031`, Sequence #). Compute `write_iv XOR seq_num` nonce.
AEAD Encrypt
Run `AES-256-GCM` or `ChaCha20-Poly1305` over header (`AAD`) + payload. Append 16-byte authentication tag.
Network Wire Delivery
Transmit binary stream over reliable `9876/tcp` socket (or reverse-proxied over edge TLS Gateway).
Replay Bitmap Verify
Receiver checks 1024-bit sliding window (`highest_seq`). Drops packet immediately if duplicate or too old.
Protocol Landscape
Where KSP sits in the evolution of networking protocols. KSP is an experimental research protocol, not an Internet standard.
HTTP/2
RFC 7540
- Binary framing
- Header compression
- Multiplexing
TLS 1.3
RFC 8446
- 1-RTT handshake
- Forward secrecy
- AEAD only
HTTP/3 / QUIC
RFC 9114
- UDP transport
- 0-RTT resume
- Built-in TLS
KSP
RFC-0001 (Draft)
- Application-layer
- Custom binary framing
- Experimental / Research
⚠ KSP is an experimental protocol for learning and research. It is NOT an Internet standard and NOT a replacement for TLS or HTTPS.
Why another protocol?
KSP is not here to replace TLS or HTTPS. It exists because understanding protocol design requires building one.
Learning
Explore how secure application-layer protocols are designed from first principles — handshakes, framing, key derivation, and replay protection.
Experimentation
Test handshake designs, cipher suite selection, and framing strategies in isolation — without the constraints of production systems.
Binary Framing
Understand why binary wire formats outperform text protocols in overhead, parse complexity, and ambiguity elimination.
Protocol Engineering
Study AEAD encryption, forward secrecy, nonce construction, and stream multiplexing through a fully documented, readable implementation.
Research
A clean, RFC-documented protocol for academic and systems research. Every design decision is explained and justified.
Cryptographic Clarity
X25519, HKDF, and AES-256-GCM combined in a clear, auditable pipeline. No magic. No hidden state. Every step documented.
What KSP includes
A complete protocol implementation with tooling, benchmarks, and documentation.
Binary Protocol
48-byte fixed header. Big-endian encoded. Zero text parsing overhead. Every bit is accounted for in the RFC.
Replay Protection
1024-bit sliding window algorithm with per-direction sequence counters. Detects and rejects replayed frames silently.
Authenticated Handshake
X25519 ephemeral key exchange + Ed25519 certificate binding. Downgrade attack prevented via full transcript verification.
Stream Multiplexing
256 concurrent logical streams over a single TCP connection. Client-initiated odd IDs, server-initiated even. Inspired by HTTP/2.
AEAD Encryption
AES-256-GCM or ChaCha20-Poly1305. Header authenticated as AAD. HKDF-derived session keys. Forward secrecy per session.
Wireshark Integration
Custom Lua dissector for Wireshark. Inspect real KSP traffic: headers, flags, sequence numbers, stream IDs.
Docker Ready
Containerized KSP server and client. Run a full KSP stack in seconds. Included in the GitHub repository.
Criterion Benchmarks
Statistical benchmarks with Criterion.rs. Latency, throughput, serialization, and handshake performance measured and documented.
RFC Specification
Full RFC-0001 specification covering every aspect of the protocol. Written to RFC standards with MUST/SHALL/SHOULD language.
From Protocol Spec to Complete Developer Platform
We aren't just delivering a specification. We are systematically building out the 5-stage client and gateway infrastructure required for ubiquitous adoption.
Gateway Proxy
Edge TLS reverse proxy terminating HTTPS/WSS into KSP binary frames.
Browser Bridge
WebRTC/WASM browser runtime allowing web apps to speak KSP.
Core SDKs
Idiomatic async libraries for Rust (`tokio`), Python, Go, and TypeScript.
Browser Extension
DevTools inspection extension for viewing KSP stream frames live.
Native Client Daemon
OS-level system daemon for transparent local KSP socket forwarding.
KSP Playground
Build packets. Run a handshake. Inject replays. Watch the state machine. Everything simulated live in your browser — no installation required.