FixCraft BaseFWX secure toolkit

Security Model

Overview

BASEFWX is built around authenticated encryption with optional post-quantum master key wrapping.

BASEFWX does not implement a nonstandard “AES-512” primitive. The symmetric layer is AES-256-GCM.

Version Support Policy

BaseFWX uses a strict single-version maintenance model:

For this project, “upgrade to latest” is a security requirement, not a convenience recommendation.

Key Paths

Two independent unlock paths are supported:

1) Password-based key derivation. 2) Master key recovery (opt-in) using ML-KEM or EC fallback.

If master wrapping is disabled, a password is required. If master wrapping is enabled and a public key is supplied, you can decrypt with the master private key even when the password is empty.

For a post-quantum-only deployment, set BASEFWX_PQ_STRICT=1 (or BASEFWX_PQ_ONLY=1) to disable the EC fallback path and reject EC master blobs during decrypt. Set BASEFWX_MASTER_PQ_ALG=ml-kem-1024 (or BASEFWX_PQ_MAX=1) to use the larger ML-KEM parameter set in the C++ core when matching keys are provisioned.

Metadata

Obfuscation

BASEFWX includes a size-preserving obfuscation layer before AEAD. It is deterministic and reversible, designed to remove obvious plaintext structure. It is not a substitute for encryption. Current AES payloads derive separate subkeys for AEAD and obfuscation. Current AES-heavy stream payloads derive the stream obfuscator from the wrapped session secret instead of the user password, so master-only decrypt flows remain viable and key reuse is reduced. Video/audio scrambling masks only low-order bits to preserve playability and will leak structure. Python no-archive max profile increases masking to full byte/sample transforms to reduce residual structure. Image encryption without trailers is deterministic and reuses keystream material; only enable it with explicit opt-in (BASEFWX_ALLOW_INSECURE_IMAGE_OBFUSCATION=1).

Live Stream Framing

Python, Java, and C++ provide a packetized live AEAD stream API (LiveEncryptor/LiveDecryptor and fwxAES_live_* wrappers):

Limits:

Legacy CBC

Legacy AES-CBC decrypt is available only when ALLOW_CBC_DECRYPT=1 is set. This is intended for migration of old payloads to AEAD formats.

Operational Notes