[!] SECURITY ALERT

Developer tools detected. Session flagged.

Security Architecture

Built to Survive the
Harshest Threat Environments

Zero-trust, zero-logs, zero-attribution. Every design decision assumes compromise from the start.

● Network Layer

Tor v3 Onion Routing

All traffic routed through a minimum 6-hop Tor circuit before reaching NEXUS DARK infrastructure.

CLIENT
Client
Agency
GUARD
Guard
Node
MID x3
Middle
Relay x3
RVOUS
Rendezvous
Point
NEXUS
NEXUS
Server
CIRCUIT HOPS
6 minimum
ONION VERSION
v3 (ed25519)
ROTATION
Every 10 min
● Cryptography

Post-Quantum
Encryption Stack

NEXUS DARK implements a hybrid classical + post-quantum stack, protecting against both current adversaries and future cryptographically-relevant quantum computers (CRQC).

[!] HARVEST NOW, DECRYPT LATER: Our post-quantum stack protects intelligence data from adversaries recording encrypted traffic today to decrypt when quantum computers become available.
Application Layer
End-to-end encrypted payloads
AES-256-GCM
Key Encapsulation
Post-quantum key exchange
CRYSTALS-Kyber-1024
Digital Signatures
Tamper-evidence & non-repudiation
CRYSTALS-Dilithium
Classical Fallback
Elliptic curve hybrid
X25519 / Ed25519
Hashing
Data integrity
SHA3-512 / BLAKE3
Transport
Network channel
TLS 1.3 + Tor
● Infrastructure

Zero Trust Architecture

Every connection authenticated, authorized, and encrypted — regardless of network location.

HW

Hardware Enclave Isolation

Tenant workloads run in isolated Intel TDX / AMD SEV hardware enclaves. Attestation required before data access.

Intel TDXAMD SEVAttestation
AG

Air-Gap Compatibility

Offline operation mode with one-way data diodes. USB-immunized transfer protocols for classified network environments.

Data DiodeOffline ModeCross-Domain
ZK

Zero-Knowledge Sessions

No session metadata retained server-side. RAM-only session state with cryptographic erasure on disconnect.

No LogsRAM-OnlyZK Proofs
● Identity Verification

Our PGP Public Key

Encrypt all communications to NEXUS DARK using this key. We only respond to PGP-encrypted messages.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.4.3 (GNU/Linux)

mQINBF9xR4kBEADhWkqn2zVqYpM4+XJjkG8XGPj4z7bW5+hU9tRXp2kQ3L8n
Nc8tQmFvEy3HZpCkV6wJBe2dLMX9vFzK+0RjQs3d8KpUu7N2eAXvCz1QHg7w
P5mY8R3jN0bLtXVk9KQz5WdM4YrTe6CsJzUHRqb3FvNpX2mLk+wZ7hG9cYQe
D8VsBk3rT5nE6aP+jCqI0UwMeFhKlZ4AoRb7mXdT5kP9VuQy6HcN1sWLzJvI
... [KEY BODY TRUNCATED FOR DISPLAY] ...
=AAQAB
-----END PGP PUBLIC KEY BLOCK-----

Key ID: 0xD9F72E1688CA
Fingerprint: 4A2F 8C1E 3D7B 9F02 A5E6  B841 0C3A D9F7 2E16 88CA
Algorithm: RSA 4096-bit  |  Created: 2024-01-01  |  Expires: Never
● Standards

Certification & Compliance

NIST CSF 2.0
Cybersecurity Framework
FIPS 140-3
Crypto module validation
CC EAL5+
Common Criteria evaluation
NATO SECRET
Compatible data handling
MITRE ATT&CK
Full framework coverage
ISO 27001
ISMS certified
SOC 2 Type II
Annual third-party audit
GDPR Exempt
Sovereign ops jurisdiction