Wire-speed Resilient Authenticated Invisible Transfer Handler
A decentralized secure file transfer protocol optimized for high-throughput, low-latency operation with strong security guarantees and traffic analysis resistance.
WRAITH Protocol is a privacy-focused, high-performance file transfer protocol designed for secure peer-to-peer communication. Built in Rust, it combines kernel-bypass networking with modern cryptography to deliver:
- Wire-speed transfers - 10+ Gbps with AF_XDP kernel bypass, sub-millisecond latency
- End-to-end encryption - Noise_XX handshake, XChaCha20-Poly1305, perfect forward secrecy
- Traffic analysis resistance - Elligator2 key encoding, protocol mimicry, cover traffic
- Decentralized discovery - Kademlia DHT, NAT traversal, relay fallback
- Production-ready ecosystem - 12 client applications for file transfer, messaging, and specialized use cases
| Metric | Value |
|---|---|
| Tests | 2,140 passing (100% pass rate, 16 intentionally ignored) |
| Code | ~131,000 lines Rust (protocol + clients) + ~35,000 lines TypeScript |
| Documentation | 113 files, ~61,000 lines |
| Security | Grade A+ (zero vulnerabilities, 295 audited dependencies) |
| Quality | 98/100, zero clippy warnings |
| TDR | ~2.5% (Grade A - Excellent) |
| Applications | 12 production-ready clients (9 desktop + 2 mobile + 1 server platform) |
| Templates | 17 configuration/ROE templates |
- Wire-speed transfers (10+ Gbps with AF_XDP kernel bypass)
- Sub-millisecond latency (<1ms packet processing with io_uring)
- Zero-copy I/O via AF_XDP UMEM and io_uring registered buffers
- BBR congestion control with optimal bandwidth utilization
- Async file I/O with io_uring
- End-to-end encryption (XChaCha20-Poly1305 AEAD)
- Perfect forward secrecy (Double Ratchet with DH and symmetric ratcheting)
- Mutual authentication (Noise_XX handshake pattern)
- Ed25519 digital signatures for identity verification
- BLAKE3 cryptographic hashing
- Traffic analysis resistance (Elligator2 key encoding)
- Replay protection (64-bit sliding window)
- Key commitment for AEAD (prevents multi-key attacks)
- Packet padding (PowerOfTwo, SizeClasses, ConstantRate, Statistical modes)
- Timing obfuscation (Fixed, Uniform, Normal, Exponential distributions)
- Protocol mimicry (TLS 1.3, WebSocket, DNS-over-HTTPS)
- Cover traffic generation (Constant, Poisson, Uniform distributions)
- Adaptive threat-level profiles (Low, Medium, High, Paranoid)
- Privacy-enhanced Kademlia DHT with BLAKE3 NodeIds
- S/Kademlia Sybil resistance (crypto puzzle-based NodeId generation)
- NAT traversal (STUN client, ICE-lite UDP hole punching)
- DERP-style relay infrastructure with automatic fallback
- Connection migration with PATH_CHALLENGE/PATH_RESPONSE
- Chunked file transfer with BLAKE3 tree hashing
- Multi-peer downloads with parallel chunk fetching
- Resume support with missing chunks detection
- Real-time progress tracking (bytes, speed, ETA)
- Chunk verification (<1us per chunk)
WRAITH Protocol draws inspiration from the rich history of network reconnaissance, tracing a lineage from the analog telephone era to modern internet-scale discovery.
In the formative decades of the digital age, the Public Switched Telephone Network (PSTN) was the primary gateway to computer systems. Wardialing—the systematic automated dialing of telephone numbers to identify responding modems—became the foundational reconnaissance technique. The 1980 release of Zoom Telephonics' Demon Dialer introduced automated dialing to consumers, while the 1983 film WarGames popularized the technique and directly influenced national security policy, leading to NSDD-145 and the modern information security state.
Tools like ToneLoc (1990s) pioneered randomized dialing to evade detection, while THC-Scan added European PBX support. The commercial PhoneSweep (1998) legitimized wardialing as a professional security audit practice, with banner fingerprinting databases identifying over 470 system types.
As dial-up faded, the wardialing philosophy migrated to new mediums. Wardriving applied the same brute-force discovery to Wi-Fi networks. WarVOX (2009) leveraged VoIP and audio fingerprinting for cloud-scale telephone scanning. Today, stateless scanners like Masscan can enumerate the entire IPv4 address space in minutes, while Shodan continuously indexes every internet-connected device—the ultimate evolution of reconnaissance from the 10,000-number telephone exchange to the 4.3 billion-address IPv4 space.
WRAITH Protocol embodies this evolution: the same philosophy of systematic discovery and secure communication, implemented with modern cryptography and kernel-bypass networking for the contemporary threat landscape.
For the complete history of automated reconnaissance from the Demon Dialer to Shodan, see The Dial-Up Frontier.
WRAITH Protocol powers a comprehensive ecosystem of 12 production-ready applications:
| Application | Platform | Description |
|---|---|---|
| WRAITH-Transfer | Desktop | Secure P2P file transfer with drag-and-drop GUI |
| WRAITH-Chat | Desktop | E2EE messaging with voice/video calls and group messaging |
| Application | Platform | Description |
|---|---|---|
| WRAITH-Sync | Desktop | Serverless file synchronization with delta transfers and version history |
| WRAITH-Share | Desktop | Anonymous distributed file sharing with swarm transfers |
| WRAITH-Stream | Desktop | Secure media streaming with AV1/VP9/H.264 and adaptive bitrate |
| Application | Platform | Description |
|---|---|---|
| WRAITH-Mesh | Desktop | IoT mesh networking with topology visualization and diagnostics |
| WRAITH-Publish | Desktop | Censorship-resistant content publishing with Ed25519 signatures and RSS |
| WRAITH-Vault | Desktop | Distributed secret storage with Shamir's Secret Sharing |
| WRAITH-Recon | Desktop | Network reconnaissance platform for authorized security testing (RoE enforced) |
| WRAITH-RedOps | Server + Desktop | Red team operations platform with C2 infrastructure and implant framework |
WRAITH-Chat features:
- Signal Protocol Double Ratchet (forward secrecy + post-compromise security)
- Voice calling with Opus codec and RNNoise noise suppression
- Video calling with VP8/VP9 and adaptive bitrate (360p-1080p)
- Group messaging with Sender Keys protocol for O(1) encryption
- SQLCipher encrypted local database
WRAITH-Vault features:
- Shamir's Secret Sharing with configurable k-of-n threshold
- Guardian-based key fragment distribution
- Erasure coding (Reed-Solomon) for redundancy
- AES-256-GCM encrypted backups with zstd compression
- Scheduled automatic backups
WRAITH-Recon features (authorized security testing only):
- Rules of Engagement (RoE) enforcement with Ed25519 signatures
- Passive reconnaissance with AF_XDP kernel-bypass capture (10-40 Gbps)
- Covert channel testing (DNS tunneling, ICMP steganography, TLS mimicry)
- Tamper-evident audit logging with MITRE ATT&CK mapping
- Kill switch with <1ms activation latency
WRAITH-RedOps features (authorized red team operations only):
- Team Server with PostgreSQL persistence, campaign management, gRPC API
- Operator Client (Tauri 2.0) with real-time dashboard and interactive terminal
- Spectre Implant framework (no_std Rust) with C2 loop, sleep obfuscation, API hashing
- Multi-operator support with role-based access control (RBAC)
- Listener management for HTTP, HTTPS, DNS, TCP protocols
For detailed client documentation, see the Client Overview.
Pre-built Binaries (recommended):
Download from the releases page:
| Platform | Architecture | Notes |
|---|---|---|
| Linux | x86_64, aarch64 | glibc and musl variants |
| macOS | x86_64, aarch64 | Intel and Apple Silicon |
| Windows | x86_64 | - |
# Linux/macOS
tar xzf wraith-<platform>.tar.gz
chmod +x wraith
./wraith --version
# Windows (PowerShell)
Expand-Archive wraith-x86_64-windows.zip
.\wraith.exe --versionBuild from Source:
git clone https://github.com/doublegate/WRAITH-Protocol.git
cd WRAITH-Protocol
cargo build --release
cargo test --workspace
./target/release/wraith --versionRequirements:
- Rust 1.88+ (Rust 2024 edition)
- Linux 6.2+ recommended (for AF_XDP and io_uring)
- x86_64 or aarch64 architecture
# Generate identity keypair
wraith keygen --output ~/.wraith/identity.key
# Send a file to peer
wraith send document.pdf <peer-id>
# Receive files
wraith receive --output ./downloads
# Run as background daemon
wraith daemon --bind 0.0.0.0:0
# Check node status
wraith status
# List discovered peers
wraith peers
# View configuration
wraith config --showFor detailed usage, see the User Guide and Tutorial.
WRAITH Protocol uses a six-layer design optimized for security and performance:
Application Layer File transfer, chunking, integrity
|
Session Layer Stream mux, flow control, BBR congestion
|
Crypto Transport Noise_XX, XChaCha20-Poly1305, ratcheting
|
Obfuscation Layer Elligator2, padding, timing jitter
|
Kernel Acceleration AF_XDP, io_uring, zero-copy DMA
|
Network Layer UDP, raw sockets, covert channels
| Crate | Description | Tests |
|---|---|---|
| wraith-core | Frame parsing (SIMD), sessions, congestion control, Node API | 414 |
| wraith-crypto | Ed25519, X25519+Elligator2, AEAD, Noise_XX, Double Ratchet | 127 |
| wraith-transport | AF_XDP, io_uring, UDP sockets, worker pools | 130 |
| wraith-obfuscation | Padding, timing, cover traffic, protocol mimicry | 111 |
| wraith-discovery | Kademlia DHT, STUN, ICE, relay infrastructure | 231 |
| wraith-files | File chunking, BLAKE3 tree hashing, io_uring I/O | 34 |
| wraith-cli | Command-line interface with Node API integration | 8 |
| wraith-ffi | Foreign function interface (C/JNI bindings) | 6 |
For detailed architecture documentation, see Protocol Overview.
| Metric | Target | Notes |
|---|---|---|
| Throughput (10 GbE) | >9 Gbps | AF_XDP with zero-copy |
| Throughput (1 GbE) | >950 Mbps | With encryption |
| Handshake Latency | <50 ms | LAN conditions |
| Packet Latency | <1 ms | NIC to application |
| Memory per Session | <10 MB | Including buffers |
| CPU @ 10 Gbps | <50% | 8-core system |
| Component | Measured Performance |
|---|---|
| Ring Buffers | ~100M ops/sec (SPSC), ~20M ops/sec (MPSC) |
| Frame Parsing | 172M frames/sec (SIMD: AVX2/SSE4.2/NEON) |
| AEAD Encryption | 3.2 GB/s (XChaCha20-Poly1305) |
| BLAKE3 Hashing | 8.5 GB/s (parallelized) |
| File Chunking | 14.85 GiB/s |
| Tree Hashing | 4.71 GiB/s in-memory |
| Chunk Verification | 4.78 GiB/s |
| File Reassembly | 5.42 GiB/s |
| Function | Algorithm | Security Level |
|---|---|---|
| Signatures | Ed25519 | 128-bit |
| Key Exchange | X25519 | 128-bit |
| Key Encoding | Elligator2 | Traffic analysis resistant |
| AEAD | XChaCha20-Poly1305 | 256-bit key, 192-bit nonce |
| Hash | BLAKE3 | 128-bit collision resistance |
| KDF | HKDF-BLAKE3 | 128-bit |
| Handshake | Noise_XX | Mutual auth, identity hiding |
| Ratcheting | Double Ratchet | Forward + post-compromise security |
Cryptographic Guarantees:
- Forward secrecy via Double Ratchet
- Post-compromise security via DH ratchet
- Replay protection with 64-bit sliding window
- Key commitment prevents multi-key attacks
- Automatic rekey (time, packet-count, byte-count triggers)
Traffic Analysis Resistance:
- Elligator2 makes keys indistinguishable from random
- Cover traffic generation (multiple distribution modes)
- Configurable padding modes
- Protocol mimicry (TLS, WebSocket, DoH)
Implementation Security:
- Memory-safe Rust with ZeroizeOnDrop for secrets
- Constant-time cryptographic operations
- SIMD acceleration with security validation
- 100% unsafe code documentation
Validation:
- Comprehensive test coverage (2,140+ tests)
- DPI evasion validation (Wireshark, Zeek, Suricata, nDPI)
- 5 libFuzzer targets
- Property-based tests
- Security scanning (Dependabot, CodeQL, RustSec)
For security issues, see SECURITY.md for our responsible disclosure process.
cargo build --workspace # Development build
cargo build --release # Release build
cargo test --workspace # Run all tests
cargo clippy --workspace -- -D warnings # Linting
cargo fmt --all # Format code
cargo xtask ci # Full CI suite
cargo doc --workspace --open # API documentation
cargo bench --workspace # BenchmarksWRAITH-Protocol/
|-- crates/ # Protocol crates (8 active + 1 excluded)
| |-- wraith-core/ # Frame, session, congestion, Node API
| |-- wraith-crypto/ # Noise, AEAD, Elligator2, ratcheting
| |-- wraith-transport/ # AF_XDP, io_uring, UDP
| |-- wraith-obfuscation/# Padding, timing, mimicry
| |-- wraith-discovery/ # DHT, relay, NAT traversal
| |-- wraith-files/ # Chunking, integrity, transfer
| |-- wraith-cli/ # CLI
| +-- wraith-ffi/ # FFI bindings
|-- clients/ # Client applications (12)
|-- templates/ # Configuration and ROE templates (17)
| |-- recon/ # WRAITH-Recon ROE templates (7)
| |-- config/ # CLI and node configuration (2)
| |-- transfer/ # Transfer profile templates (1)
| +-- integration/ # Docker Compose, systemd service (2)
|-- docs/ # Documentation (130+ files)
|-- to-dos/ # Project planning
|-- ref-docs/ # Protocol specifications
|-- tests/ # Integration tests and benchmarks
+-- xtask/ # Build automation
WRAITH Protocol uses comprehensive GitHub Actions workflows:
- Continuous Integration - Tests, linting, formatting on every push/PR
- Security Scanning - Dependabot, CodeQL, cargo-audit, gitleaks, fuzzing
- Multi-Platform Releases - 6 platform targets with SHA256 checksums
- Client Builds - All Tauri desktop applications
See CI Workflow and Release Workflow.
WRAITH Protocol v2.2.5 represents 2,740+ story points across 24 development phases:
- Core protocol implementation (cryptography, transport, obfuscation, discovery)
- 9 production-ready desktop client applications
- Comprehensive documentation and testing
- CI/CD infrastructure with multi-platform releases
- Post-quantum cryptography - Kyber/Dilithium hybrid mode
- Formal verification - Cryptographic protocol proofs
- XDP/eBPF implementation - Full kernel bypass (wraith-xdp crate)
- SDK development - Python, Go, Node.js language bindings
See ROADMAP.md for detailed planning.
We welcome contributions! See CONTRIBUTING.md for guidelines.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make changes with tests
- Run CI checks (
cargo xtask ci) - Commit (
git commit -m 'feat: add amazing feature') - Push and open a Pull Request
- Follow Rust coding standards (rustfmt, clippy)
- Add tests for new functionality
- Update documentation
- Follow Conventional Commits
Licensed under the MIT License. See LICENSE for details.
WRAITH Protocol builds on excellent projects and research:
Protocol Inspirations: Noise Protocol Framework | WireGuard | QUIC | libp2p | Signal Protocol
Cryptographic Libraries: RustCrypto | Snow | dalek-cryptography
Performance Technologies: AF_XDP | io_uring | eBPF/XDP
- Repository: github.com/doublegate/WRAITH-Protocol
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Changelog: CHANGELOG.md
- Security Policy: SECURITY.md
WRAITH Protocol - Secure. Fast. Invisible.
Version: 2.2.5 | License: MIT | Language: Rust 2024 (MSRV 1.88) | Tests: 2,140 passing (100%) | Clients: 12 applications (9 desktop + 2 mobile + 1 server)
Last Updated: 2026-01-25
