Secure Distributed Brain Simulation Guide

[!NOTE] For the latest implementation status, please refer to Functional Implementation Status (Remaining Functionality).

Overview

EvoSpikeNet implements the following security features to ensure communication security in distributed brain simulations:

1. Pre-Shared Key (PSK): Encryption using a pre-shared private key
2. Diffie-Hellman key exchange: Forward secrecy with dynamic key generation
3. AES-256-GCM encryption: Prevents eavesdropping and tampering with authenticated encryption

Security mode

1. Pre-Shared Key (PSK) Mode

The easiest and recommended method. All nodes use the same pre-shared key.

Generate PSK

# Generate a 256-bit (64-character hex) random key
python3 -c "import os; print(os.urandom(32).hex())"

How to use

<!-- from evospikenet.zenoh_comm import ZenohCommunicator, ZenohConfig -->

# Set PSK
psk = "your-64-char-hex-key-here"
config = ZenohConfig(psk=psk)
comm = ZenohCommunicator("node-1", config)

# All communications are automatically encrypted
comm.publish("topic", {"data": "secret"}, serialize="json")

Setting with environment variables

export EVOSPIKENET_PSK="your-64-char-hex-key-here"

import os
config = ZenohConfig(psk=os.getenv("EVOSPIKENET_PSK"))

2. Diffie-Hellman key exchange mode

Dynamically exchange keys between nodes. It has forward secrecy and is the most secure.

How to use

Node 1:```python comm = ZenohCommunicator("node-1", ZenohConfig())

Start key exchange

public_key = comm.initiate_key_exchange("node-2") print(f"Public key: {public_key.hex()}")

After receiving node 2's public key

peer_public_key = bytes.fromhex("...") comm.complete_key_exchange(peer_public_key)

**Node 2:**```python
comm = ZenohCommunicator("node-2", ZenohConfig())

# Start key exchange
public_key = comm.initiate_key_exchange("node-1")
print(f"Public key: {public_key.hex()}")

# After receiving node 1's public key
peer_public_key = bytes.fromhex("...")
comm.complete_key_exchange(peer_public_key)

Demo script

PSK mode demo

# Generate PSK
PSK=$(python3 -c "import os; print(os.urandom(32).hex())")
echo "PSK: $PSK"

# Start node 1 (terminal 1)
python3 examples/secure_distributed_brain_demo.py \
    --node-id node-1 \
    --peer-id node-2 \
    --psk "$PSK" \
    --mode psk

# Start node 2 (terminal 2)
python3 examples/secure_distributed_brain_demo.py \
    --node-id node-2 \
    --peer-id node-1 \
    --psk "$PSK" \
    --mode psk

DH key exchange mode demo

# Start node 1 (terminal 1)
python3 examples/secure_distributed_brain_demo.py \
    --node-id node-1 \
    --peer-id node-2 \
    --mode dh

# Copy the displayed public key

# Start node 2 (terminal 2)
python3 examples/secure_distributed_brain_demo.py \
    --node-id node-2 \
    --peer-id node-1 \
    --mode dh

# Exchange and input each other's public keys

Use in Docker environment

docker-compose.yml configuration example

services:
  brain-node-1:
    image: evospikenet:latest
    environment:
      - EVOSPIKENET_PSK=${EVOSPIKENET_PSK}
      - NODE_ID=pfc-0
    networks:
      - brain-network

  brain-node-2:
    image: evospikenet:latest
    environment:
      - EVOSPIKENET_PSK=${EVOSPIKENET_PSK}
      - NODE_ID=motor-0
    networks:
      - brain-network

networks:
  brain-network:
    driver: bridge

.env file

# Set PSK to be shared by all nodes
EVOSPIKENET_PSK=your-generated-psk-here

Security Best Practices

1. PSK management

• ✅ Recommended: Use environment variables or a secret management system (e.g. AWS Secrets Manager, HashiCorp Vault)
• ❌ DEPRECATED: Hardcoded in source code
• ✅ Recommended: Rotate PSK regularly
• ✅ Recommended: Use different PSKs for production and development environments

2. Key exchange

• ✅ Recommended: Use DH key exchange to ensure forward secrecy
• ✅ Recommended: Exchange public keys over a secure channel (HTTPS, SSH, etc.) when connecting for the first time
• ⚠️ Note: Verify public key fingerprint to prevent man-in-the-middle attacks

3. Network

• ✅ Recommended: Communicate only within trusted networks
• ✅ Recommended: Close unnecessary ports in your firewall
• ✅ Recommended: Use a VPN or private network

4. Logging and Monitoring

• ✅ Recommended: Log encryption errors
• ❌ Not recommended: Do not output key information to logs
• ✅ Recommended: Monitor for suspicious decryption failures

troubleshooting

Decryption error

WARNING - Decryption failed for topic: ...

Cause: - PSK mismatch - session key not established - Data is corrupted

Solution: 1. Check if all nodes use the same PSK 2. Check if DH key exchange is completed 3. Check network connection

Key exchange failure

ERROR - Key exchange failed: ...

Cause: - Invalid public key format - network error

Solution: 1. Make sure you have copied the public key correctly (no line breaks or spaces) 2. Check network connection

Performance impact

• Encryption Overhead: approximately 5-10% CPU usage increase
• Latency: approximately 1-2ms increase
• Throughput: No significant impact (can be used with compression)

Security Audit

Please check the following regularly:

1. ✅ Is your PSK stored safely?
2. ✅ Are unnecessary encryptions disabled?
3. ✅ Do the logs contain confidential information?
4. ✅ Is the encryption library the latest version (cryptography package)?

Reference materials

• cryptography library documentation
• NIST Cryptographic Standards
• OWASP Cryptographic Storage Cheat Sheet