Sponsored by
Sponsored by
Channels provide end-to-end encrypted messaging for real-time communication between authorized Aranya devices. They support high-throughput, low-latency data exchange for one-to-one communication.
Creating a Channel
A channel is used to group together a fixed number of devices based on specific roles or attributes. Device IDs identify the endpoints of the channel, and the topic label is an additional attribute available to write policies against. To create a channel, a device will generate an ephemeral command. An ephemeral command is one that utilizes the same policy as all other commands, but which is never added to the DAG that audits them. Instead, devices transmit the command through an external transport mechanism. An ephemeral command is part of an ephemeral session, meaning it does not persist to the graph, but is still evaluated by the associated policy. The ephemeral command used as part of the setup includes the information required for the peers to set up the encryption keys that will be used for the channel.
Once the command is validated, the crypto engine generates an encryption key associated with the device and exposes it through shared memory. If the channel is specified as unidirectional, the device creating the channel is only assigned an encryption key. If the channel is bidirectional, the device will also be assigned a decryption key. Aranya stores the key(s) in its own database and associates the key or key pair with this specific channel for this specific device. After the channel creator’s keys have been assigned, a “create channel” command is sent to the specified receiver. Like the process for the initial sender device, the command is processed by the receiver’s associated policy and the crypto engine generates a decryption key (if unidirectional), or encryption/decryption keys (if bidirectional). After the sender and receiver have both processed the “create channel” command, they are free to send and receive messages over their new channel and no further messages will be processed by their policy.
A diagram for a workflow when creating a channel
Figure 5: Workflow when creating a Channel
Sending Data
To send data over the channel, a device will prepare the bytes to submit to the API to be encrypted. Aranya will retrieve the encryption key associated with the intended channel (stored in Shared Local Memory) and encrypt the message using the crypto engine. The user-defined transport method is then used to transmit the message to the receiver. Once the message has been received, Aranya will retrieve the device’s decryption key associated with this channel and use the crypto engine to decrypt the message. If a device’s encryption or decryption key associated with the channel cannot be found, then the device cannot encrypt or decrypt the message.
While channels are one-to-one, a policy may define rules for a device to send messages to multiple other devices over individual channels. This is facilitated by topic labels, which are defined in a policy and act on the permission system. A label is assigned to devices that want to communicate under a specific topic and a channel can only be created for devices assigned to that same topic. Labels cannot be used to send a message to more than one device as they are specifically used by policy to allow two devices to talk to each other using that label (if both points have that label assigned to them).
A diagram of a workflow to send data on a channel
Figure 6: Workflow to Send Data on a Channel