Part V · 1 — Identity and transport

draft

This is where the theory lands. Every Koder Stack choice for *proving who you are* and protecting what moves is a primitive from the earlier parts, chosen on purpose — not an accidental default.


The Koder Stack's crypto components: ID, Jet, certs, kzip, over koder_kit

1.1 Koder ID — the Stack's identity

Koder ID (services/foundation/id) is the single identity provider for the whole Stack: an OAuth/OIDC server that every login passes through. Its cryptographic choices map directly onto Part II:

Function Primitive Part
Password hash Argon2id (\(m\)19 MiB, \(t\)2, \(p\)=1) II — KDF/passwords
Session token 256-bit random + HMAC-SHA256 II — MAC
JWT signature Ed25519 (not HS256/RS256) II — signature
Passwordless login Passkeys / WebAuthn II — asymmetric

JWT signing with Ed25519 is the exemplary decision: the public key is published at /.well-known/jwks.json, and any service verifies the token without sharing a secret — exactly the non-repudiation property that separates signature from MAC (Part I). And passkeys take this to login: the private key never leaves the device; the server keeps only the public one.


1.2 TLS in Koder Jet

All web traffic passes through Koder Jet (infra/net/jet), the Stack's single server. The TLS posture is Part III applied:

  • TLS 1.3 only for new sites (1.2 with ECDHE-AEAD only in legacy compat).
  • AEAD suites only: AES-GCM and ChaCha20-Poly1305 (preferred without AES-NI) —

    Part II.

  • Key exchange X25519, with the X25519MLKEM768 hybrid in pilot — the

    Part IV already entering production.

  • Forbidden: TLS 1.0/1.1, RC4, 3DES, MD5, SHA-1, RSA key transport, CBC modes

    — the whole list of historical weaknesses from the earlier parts.

  • HSTS with preload on all subdomains; HTTPS only, 301 redirect

    (policies/security.kmd).

The certificates come from services/foundation/certs via ACME DNS-01 (ClouDNS), chained through the web PKI — with automatic rotation every 90 days (short validity instead of revocation).


1.3 Hardened SSH

Access to servers and to Koder Flow uses OpenSSH 9.6+ with strict KEX (Terrapin attack mitigation):

  • Host keys Ed25519; key-only authentication (password off); root by key

    only.

  • KEX sntrup761x25519 — note: already post-quantum hybrid, like TLS.
  • Cipher ChaCha20-Poly1305 (AEAD); MAC HMAC-SHA-512-ETM (encrypt-then-MAC).

It is the same fit as TLS — key exchange + AEAD + MAC — in a different protocol, reinforcing the lesson of Part III: the protocols change, the primitives and the pattern repeat.


Dense reference: exact suites, full SSH config, and the hybrid pilot in 14-koder-applied. Next: Data and keys — encryption at rest and the key lifecycle.