diff --git a/SVSim.BattleNode/Wire/NodeCrypto.cs b/SVSim.BattleNode/Wire/NodeCrypto.cs
new file mode 100644
index 0000000..481e98a
--- /dev/null
+++ b/SVSim.BattleNode/Wire/NodeCrypto.cs
@@ -0,0 +1,62 @@
+using System.Security.Cryptography;
+using System.Text;
+
+namespace SVSim.BattleNode.Wire;
+
+///
+/// AES-256-CBC encrypt/decrypt for the node socket channel. Port of
+/// Cryptographer.EncryptRJ256ForNode / DecryptRJ256ForNode in the decompilation.
+/// Key is prepended to ciphertext (cleartext); IV is the first 16 chars of the key.
+///
+public static class NodeCrypto
+{
+ ///
+ /// Generate a fresh 32-char key. 32 random hex digits, base64-encoded, truncated to 32 chars.
+ /// Port of Cryptographer.generateKeyString.
+ ///
+ public static string GenerateKey(Func randHexDigit)
+ {
+ var sb = new StringBuilder(32);
+ for (var i = 0; i < 32; i++)
+ {
+ sb.Append(randHexDigit().ToString("x"));
+ }
+ var ascii = Encoding.ASCII.GetBytes(sb.ToString());
+ return Convert.ToBase64String(ascii).Substring(0, 32);
+ }
+
+ /// Encrypt: returns key + base64(AES-256-CBC(plain)).
+ public static string EncryptForNode(string plaintext, string key)
+ {
+ if (key.Length != 32)
+ throw new ArgumentException($"Key must be exactly 32 chars, got {key.Length}", nameof(key));
+ using var aes = Aes.Create();
+ aes.KeySize = 256;
+ aes.Mode = CipherMode.CBC;
+ aes.Padding = PaddingMode.PKCS7;
+ aes.Key = Encoding.UTF8.GetBytes(key);
+ aes.IV = Encoding.UTF8.GetBytes(key.Substring(0, 16));
+ using var encryptor = aes.CreateEncryptor();
+ var plainBytes = Encoding.UTF8.GetBytes(plaintext);
+ var cipherBytes = encryptor.TransformFinalBlock(plainBytes, 0, plainBytes.Length);
+ return key + Convert.ToBase64String(cipherBytes);
+ }
+
+ /// Decrypt: input[0..32] is key, input[32..] is base64(ciphertext).
+ public static string DecryptForNode(string encrypted)
+ {
+ if (encrypted.Length < 32)
+ throw new ArgumentException("Encrypted blob is shorter than the 32-char key prefix", nameof(encrypted));
+ var key = encrypted.Substring(0, 32);
+ var cipherBytes = Convert.FromBase64String(encrypted.Substring(32));
+ using var aes = Aes.Create();
+ aes.KeySize = 256;
+ aes.Mode = CipherMode.CBC;
+ aes.Padding = PaddingMode.PKCS7;
+ aes.Key = Encoding.UTF8.GetBytes(key);
+ aes.IV = Encoding.UTF8.GetBytes(key.Substring(0, 16));
+ using var decryptor = aes.CreateDecryptor();
+ var plainBytes = decryptor.TransformFinalBlock(cipherBytes, 0, cipherBytes.Length);
+ return Encoding.UTF8.GetString(plainBytes);
+ }
+}
diff --git a/SVSim.UnitTests/BattleNode/Wire/NodeCryptoTests.cs b/SVSim.UnitTests/BattleNode/Wire/NodeCryptoTests.cs
new file mode 100644
index 0000000..169e93b
--- /dev/null
+++ b/SVSim.UnitTests/BattleNode/Wire/NodeCryptoTests.cs
@@ -0,0 +1,44 @@
+using NUnit.Framework;
+using SVSim.BattleNode.Wire;
+
+namespace SVSim.UnitTests.BattleNode.Wire;
+
+[TestFixture]
+public class NodeCryptoTests
+{
+ [Test]
+ public void EncryptThenDecrypt_RoundTripsArbitraryString()
+ {
+ const string plaintext = "{\"uri\":\"InitNetwork\",\"viewerId\":906243102,\"try\":0,\"cat\":99}";
+ const string key = "Y2FmZWJhYmU3ZmY3ZmY3ZmY3ZmY3ZmY3"; // 32 chars
+
+ var encrypted = NodeCrypto.EncryptForNode(plaintext, key);
+ var decrypted = NodeCrypto.DecryptForNode(encrypted);
+
+ Assert.That(decrypted, Is.EqualTo(plaintext));
+ }
+
+ [Test]
+ public void GenerateKey_WithDeterministicSource_ProducesStable32CharOutput()
+ {
+ var seq = 0;
+ string key = NodeCrypto.GenerateKey(() => seq++ % 16);
+
+ Assert.That(key.Length, Is.EqualTo(32));
+ // Two calls with the same source produce the same output.
+ seq = 0;
+ Assert.That(NodeCrypto.GenerateKey(() => seq++ % 16), Is.EqualTo(key));
+ }
+
+ [Test]
+ public void EncryptForNode_NonStandardKeyLength_Throws()
+ {
+ Assert.Throws(() => NodeCrypto.EncryptForNode("x", "tooshort"));
+ }
+
+ [Test]
+ public void DecryptForNode_TooShortInput_Throws()
+ {
+ Assert.Throws(() => NodeCrypto.DecryptForNode("tooshort"));
+ }
+}