Technical Architecture

Built for
Certification.

Every architectural decision in Project Vajra is made with STQC evaluation and Common Criteria EAL 4+ in mind. This page is for engineers, DRDO evaluators, and HPSC technical members.

Architecture Layers

Four Isolated
Layers.

Layer 01
Data Plane
Vajra Core

Rust + Tokio + Hyper. Transparent TCP/TLS interception, hybrid PQ-TLS handshake, AES-256-GCM stream. Sub-2ms target latency on ARM-class hardware.

Rust + Tokio Hyper proxy AES-256-GCM PQ-TLS 1.3
Layer 02
Control Plane
Command Centre

Crypto-agility manager for hot-swapping algorithms without downtime. PKI bridge for ML-DSA Dilithium quantum-safe certificates. Policy config via gRPC and etcd.

gRPC etcd ML-DSA certs Hot-swap
Layer 03
Key Management
Sovereign KMS

Sovereign on-premise KMS — key generation, rotation, revocation. PKCS#11 HSM/TPM abstraction for hardware-backed key storage. Air-gap USB provisioner for disconnected tactical deployments.

PKCS#11 HSM / TPM Air-gap USB On-prem only
Layer 04
Observability
Audit + Metrics

OpenTelemetry metrics for latency and handshake rates. Hash-chained tamper-evident audit log mandatory for EAL 4+. SIEM export via syslog/CEF for defence SOC environments.

OpenTelemetry Prometheus Syslog/CEF Hash-chain log
Cryptographic Standards

NIST Final.
No Drafts.

Full Stack
PQC KEMML-KEM-768 — NIST FIPS 203
Standard dateAugust 2024 final
PQC signaturesML-DSA Dilithium — FIPS 204
Classical KEMX25519 — RFC 7748
Key derivationHKDF-SHA384 — RFC 5869
SymmetricAES-256-GCM — NIST SP 800-38D
Key zeroizationRust zeroize crate
Why Rust
Compile-time memory safety
Borrow checker eliminates buffer overflows at compile time — the strongest argument for Common Criteria EAL 4+ certification.
No garbage collector
Deterministic latency — critical for real-time tactical voice and high-frequency banking transactions.
ZeroizeOnDrop
Compile-time guaranteed key material wipe from memory when sessions end — verifiable by code review.