Skip to content

Security

CRP implements an 8-layer security architecture with a total overhead of ~202 μs per window (0.001–0.01% of a typical window cost).

Design Philosophy

CRP is a local protocol — it runs in-process, not over a network. This eliminates entire attack classes: no MitM, no DNS spoofing, no certificate attacks, no API key theft in transit.

Trust Zones

graph LR
    A[Application<br/>TRUSTED] --> B[CRP Protocol<br/>TRUSTED]
    B --> C[LLM Provider<br/>SEMI-TRUSTED]
    D[External Data<br/>UNTRUSTED] --> B
    B --> E[Stored State<br/>PROTECTED]
Zone Trust Level Protection
Application Trusted RBAC boundaries
CRP Protocol Trusted Input validation, process isolation
LLM Provider Semi-trusted Output extraction normalizes data
External Data Untrusted 1-window quarantine, validation
Stored State Protected AES-256-GCM encryption

8 Security Layers

Layer 1 — Input Validation (Mandatory)

Cannot be disabled. Runs on every input:

  • Size limit: 50 MB per ingest
  • Unicode NFC normalization
  • Null byte and control character stripping
  • MIME type validation
  • Metadata key limit

Layer 2 — Injection Detection (Advisory)

Detects 21 prompt injection patterns. Advisory only — flags in QualityReport.security_flags but never blocks:

output, report = client.dispatch(...)
if report.security_flags:
    print(f"Security warnings: {report.security_flags}")

Layer 3 — RBAC

Three-role hierarchy with 13 permissions:

Role Permissions
OBSERVER Read session status, read quality reports
OPERATOR Dispatch, ingest, configure, + OBSERVER
ADMIN Delete facts, manage sessions, + OPERATOR

Rate limiting (configurable):

Limit Default
Dispatches 60/min
Ingest bandwidth 100 MB/min
Concurrent sessions 4
Session expiry 24 hours

Layer 4 — Session Binding

TLS-inspired HMAC-SHA256 handshake:

  • Per-session nonce generates fresh key
  • All operations bound to session
  • Zero-config fallback: random 256-bit secret via OS keyring (DPAPI on Windows, Keychain on macOS)

Layer 5 — Fact Integrity

DNSSEC-pattern integrity chain:

  • BLAKE3 hash per fact (~1 μs)
  • HMAC-SHA256 chain signing (~2 μs)
  • Parent hashes chained — modifying one fact requires re-signing the entire downstream chain
  • Cold-load: spot-check 10% sample
# Verify integrity chain
is_valid, broken_at = client.compliance_audit.verify_chain()

Layer 6 — Encryption

What Algorithm When
Cold state (CKF) AES-256-GCM At rest
Event log AES-256-GCM At rest
State exports AES-256-GCM At rest
Key derivation HKDF On session create

Not encrypted: active warm state, ANN index, model weights (process memory — OS-level isolation is the defense).

Layer 7 — Ingest Quarantine

New facts from untrusted sources enter a 1-window quarantine:

  • 0.7× confidence penalty during quarantine
  • Cross-reference validation against existing facts
  • Batch failure detection: >30% failure threshold flags the entire batch

Layer 8 — Embedding Defense

Protects against adversarial embedding attacks:

  • Protected embedding wrapper
  • Anomaly detection on embedding space
  • Guards against embedding inversion attacks

Attack Vector Coverage

Attack Defense Layers Status
Prompt injection Layers 2, 7 21 patterns detected
Fact poisoning Layers 1, 5, 7 4-layer defense
Cross-window contamination Layers 4, 5 Structurally immune
Unauthorized access Layers 3, 4 RBAC + session binding
State tampering Layers 5, 6 HMAC chain + encryption
Embedding inversion Layer 8 Protected embeddings
Unbounded consumption Layer 3 Rate limiting

OWASP Coverage

Framework Coverage
OWASP LLM Top 10 9/10
OWASP ML Security Top 10 8/10

Quantum Resistance

CRP uses symmetric-only cryptography:

  • HMAC-SHA256 (signing)
  • AES-256-GCM (encryption)
  • BLAKE3 (hashing)

Zero asymmetric crypto → Shor's algorithm has nothing to target. CRP already provides 128-bit post-quantum security.

Future roadmap

CRYSTALS-Kyber and CRYSTALS-Dilithium are on the quantum resistance roadmap for future optional asymmetric operations.

Performance Impact

Total security overhead: ~202 μs per window

Layer Cost Percentage
Input validation ~50 μs 0.003%
Injection detection ~80 μs 0.004%
RBAC check ~5 μs <0.001%
Session binding ~10 μs <0.001%
Fact hashing ~1 μs/fact <0.001%
HMAC chain ~2 μs/fact <0.001%
Encryption ~50 μs 0.003%

Security is essentially free relative to LLM generation time.

Vulnerability Reporting

Report security vulnerabilities via:

  • Email: security@crprotocol.io
  • GitHub Security Advisories (private)

Response timeline: 48-hour acknowledgment → 7-day assessment → 30-day fix or mitigation.