TLS-Encrypted P2P Network

Encrypted Network

DERO is the first blockchain to use TLS-encrypted UDP for all P2P network communication, protecting against eavesdropping and tampering while maintaining high performance.

Innovation: Self-signed TLS certificates over KCP/UDP provide privacy without certificate authorities or trusted third parties.

Why Network Encryption Matters

Without encryption (Bitcoin, Ethereum):

Network observer (ISP, government) can see:
  ✓ Who you're connecting to
  ✓ Transaction broadcasts (plaintext)
  ✓ Block propagation timing
  ✓ Network metadata patterns
  
Privacy: Zero

With TLS encryption (DERO):

Network observer sees:
  ✓ Encrypted packets
  ✗ Cannot read contents
  ✗ Cannot identify transaction types
  ✗ Cannot tamper with data
  
Privacy: Network-level protection

DERO's Network Architecture

TLS over KCP/UDP

Layer	Technology	Purpose
Transport	UDP	Low latency, reduced kernel exposure
Reliability	KCP	Reliable delivery over UDP
Encryption	TLS	Confidentiality and integrity
Authentication	Self-signed certs	No central authority

Source: p2p/controller.go:34-35, 48, 609

TLS Implementation

Self-Signed Certificates

Simplified from source — see p2p/tlsconfig.go for full implementation (p2p/controller.go:717-776):

// Simplified pseudocode — actual source handles PEM encoding, error checks, etc.
func generate_random_tls_cert() tls.Certificate {
    key = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    
    tml = x509.Certificate{
        SerialNumber: big.NewInt(randomSerial),
    }
    
    certDER = x509.CreateCertificate(rand.Reader, &tml, &tml, &key.PublicKey, key)
    // PEM-encode certDER and key, then:
    return tls.X509KeyPair(certPem, keyPem)
}

// Applied to connections
tlsconfig = &tls.Config{
    Certificates: []tls.Certificate{generate_random_tls_cert()}
}
tlsconn = tls.Server(conn, tlsconfig)

Why self-signed?

✅ No certificate authorities (decentralized)
✅ Each node generates own cert
✅ No trusted third parties
✅ Prevents network-level eavesdropping

Why HTTPS is intentionally absent from RPC

Every integrator who looks at the DERO daemon eventually asks: "why doesn't derod ship HTTPS on the RPC port?" The answer is two-part, and Captain has stated it directly:

The two arguments unpacked:

HTTPS as a trust model is compromised by design. A public CA can mint a valid certificate for any domain it wants (sometimes under legal compulsion, sometimes through compromise) and from that point, any "encrypted" HTTPS session can be silently intercepted. The padlock icon does not mean the traffic is private from the CA, only that it's private from passive sniffers on the wire.
VPN is the right tool for the only legitimate HTTPS use case. If your concern is local ISP / telecom / coffee-shop wifi sniffing, a VPN solves it at the transport layer — without inheriting the CA-as-trusted-third-party problem. RPC traffic should already be on a trusted bus (127.0.0.1, a private VPN, an SSH tunnel, WireGuard).

The architectural pattern that follows from this:

Port	Protocol	Encryption	Why
P2P (`10101`)	TLS over KCP/UDP	Self-signed TLS (per the section above)	Nodes talk across the public internet; encryption is required, but CAs are unwanted
Daemon RPC (`10102`)	Plain HTTP	None (local trust)	Designed for `127.0.0.1` traffic; if you tunnel it, the tunnel provides encryption
Wallet RPC (`10103`)	Plain HTTP	None (local trust)	Same model as daemon RPC

If you need to expose RPC over a network, don't add HTTPS to derod — put it behind an authenticated TLS terminator you control (nginx, Caddy, an SSH tunnel, WireGuard). The threat model assumes the RPC port is on a trusted bus, and the encryption decision is delegated to whatever transport you choose to expose it over.

ECDSA vs RSA Choice

Performance Comparison

From source code comments (p2p/controller.go:721-734):

/* RSA can do only 500 exchanges per second
 * EC256 does roughly 20000 exchanges per second
 */
 
// DERO chose ECDSA (P256)
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

Algorithm	Handshakes/Second	DERO's Choice
RSA	~500	❌ Too slow
ECDSA P256	~20,000	✅ Used

Why this matters:

Enterprise services handle thousands of connections/second
Fast handshakes = better scalability
40× performance improvement

UDP vs TCP

Why DERO Uses UDP

Aspect	TCP	UDP (with KCP)
Network Overhead	Higher	Lower
Kernel Exposure	More syscalls	Fewer syscalls
Latency	Higher	Lower
Reliability	Built-in	KCP adds it
For Blockchain	Slower propagation	Faster propagation

KCP (UDP-based reliability):

Provides TCP-like reliability over UDP
Lower latency than TCP
Configurable for blockchain needs
Used by many high-performance systems

Source: p2p/controller.go:48 - github.com/xtaci/kcp-go/v5

Network Privacy Stack

Layer 1: UDP Transport
  → Low latency, reduced overhead
  
Layer 2: KCP Protocol  
  → Reliable delivery
  
Layer 3: TLS Encryption ← PRIVACY LAYER
  → Encrypted communication
  → Self-signed certificates
  → No eavesdropping possible
  
Layer 4: DERO Protocol
  → Block/TX propagation
  → Encrypted by TLS

What TLS Protects

Network-Level Attacks Prevented:

Attack	Without TLS	With TLS
Eavesdropping	ISP sees all data	✅ Only sees encrypted packets
Tampering	Can modify packets	✅ Detected and rejected
Traffic Analysis	Can identify TX types	⚠️ Timing still visible
MITM	Possible	⚠️ Not prevented (no cert verification)

What TLS does NOT hide (network layer metadata):

⚠️ Your IP address (visible at network layer)
⚠️ Packet sizes (observable by network)
⚠️ Connection timing (metadata analysis)
⚠️ That you're using DERO (traffic patterns)

Note: These limitations apply to ALL TLS implementations (network layer metadata is below TLS's encryption layer)

Additional privacy: DERO supports SOCKS proxy (for Tor/other proxies):

# Run daemon through Tor (Tor must be running on port 9050)
./derod --socks-proxy=127.0.0.1:9050
 
# Or through any SOCKS5 proxy
./derod --socks-proxy=proxy_ip:port
 
# Source: cmd/derod/main.go:62, 75
# Flag: --socks-proxy=<socks_ip:port>  Use a proxy to connect to network.

Note: VPN would hide DERO usage from ISP, but is NOT configurable via daemon (system-level).

Network Configuration

Default ports:

# Mainnet
P2P:  10101 (encrypted UDP/KCP/TLS)
RPC:  10102 (HTTP, local only)
 
# Testnet  
P2P:  40401 (encrypted UDP/KCP/TLS)
RPC:  40402 (HTTP, local only)

Firewall rules:

# Allow P2P (required)
sudo ufw allow 10101/udp
 
# RPC should be local-only (security)
# No firewall rule needed for RPC

Source: config/config.go - Network port constants

Key Advantages

1. Privacy

✅ ISP cannot read network traffic
✅ Government cannot inspect packets
✅ No plaintext transaction broadcasts

2. Security

✅ Prevents packet tampering
✅ Authenticates peers
✅ Protects integrity

3. Performance

✅ Fast handshakes (20,000/sec with ECDSA)
✅ Low latency (UDP-based)
✅ Efficient propagation

4. Decentralization

✅ No certificate authorities
✅ Self-signed certs
✅ No central trust point

Comparison with Other Blockchains

Blockchain	Network Encryption	Protocol	Performance
Bitcoin	✅ BIP 324 (v2 transport, since Core 26.0)	TCP	Slower, public
Ethereum	✅ RLPx (ECIES encrypted transport)	TCP	Slower, public
Other Privacy Coins	⚠️ Varies by implementation	TCP	Slower, public
DERO	✅ TLS	UDP/KCP	Faster, private

DERO = Only blockchain with encrypted P2P layer

Technical Implementation

Connection Flow

Outgoing connection:
  1. Create KCP/UDP connection
  2. Wrap with TLS (self-signed cert)
  3. Perform handshake
  4. Exchange blockchain data (encrypted)
  
Incoming connection:
  1. Accept KCP/UDP connection
  2. Wrap with TLS (self-signed cert)
  3. Verify handshake
  4. Serve blockchain data (encrypted)

Source code:

TLS setup: p2p/controller.go:551, 609
Outgoing: p2p/controller.go:398 - tls.Client(conn, &tls.Config{InsecureSkipVerify: true})
Incoming: p2p/controller.go:609 - tls.Server(conn, tlsconfig)

Limitations & Mitigations

What TLS Encrypts:

✅ All packet contents
✅ Transaction data
✅ Block data
✅ Peer communications

What TLS Does NOT Hide:

⚠️ That you're using DERO
⚠️ Connection timing
⚠️ Packet sizes
⚠️ Your IP address

Additional Privacy Layers:

# Use Tor for IP privacy
torify ./derod
 
# Or use VPN
# Hides that you're using DERO from ISP

Key Takeaways

DERO's encrypted network provides:

✅ TLS encryption - All P2P traffic encrypted
✅ UDP/KCP protocol - Fast, low latency
✅ ECDSA certificates - 20,000 handshakes/sec (40× faster than RSA)
✅ Self-signed - No certificate authorities
✅ Privacy - ISP cannot read network data
✅ Security - Tampering detected and prevented

⚠️

Note: TLS protects network layer. For complete privacy, DERO also uses ring signatures (sender), homomorphic encryption (amounts), and bulletproofs (validation).