How It Works
A brief overview of CHIPS™ technology, the operation of XTRA in building Synchronous Ephemeral Encryption (SEE™), and the K4C process for public-facing workloads that connect with other organizations
Hopr's SaaS products protect workloads, APIs, and data by disabling a threat actor's ability to plan and launch attacks using credential theft and Man-in-the-Middle attacks. Generational improvements across all cloud environments are achieved with the following three novel Hopr innovations.
CHIPS
Codes Hidden In Plain Sight (CHIPS™) is an innovative, patented technology designed to generate seed material for identical symmetric keys at two separate locations anywhere around the globe. By leveraging the vast, dynamic data on the Internet, CHIPS can create seed materials for highly secure AES 256 GCM symmetric keys, which are then used to encrypt and decrypt messages between the two endpoints. The AES 256 GCM encryption employed by CHIPS™ provides a high level of security, making it a reliable choice for safeguarding sensitive information. This encryption standard is widely recognized and trusted for its robustness and resistance to various attack vectors.
At its core, CHIPS™ utilizes a large number of default algorithms. Each algorithm consists of three main components: an RSS feed URL, a specific headline within the feed, and various transformations applied to the headline text. These transformations may include character transposition, replacement, or insertion. To generate identical key seeds, both endpoints must access the same RSS feed, extract the designated headline, and apply the specified transformations at almost the same time. To ensure synchronization between endpoints, it is important that the systems have synchronized clocks or use a time synchronization protocol like NTP.
One of the unique features of CHIPS™ is its natural key rotation mechanism. As the dynamic data on the Internet, specifically RSS feeds, changes, so do the generated keys. This feature not only enhances security by limiting the use of a single symmetric key to a single session but also eliminates the need for manual key management. Assuming unrestricted access to dynamic data sources like RSS feeds, CHIPS can be readily integrated with various communication systems, offering a flexible and secure solution for encrypted communication.
In summary, CHIPS™ is a groundbreaking technology that enables secure communication through the generation of identical symmetric keys at two distinct locations. By leveraging the ever-changing landscape of the Internet and an extensive library of algorithms, CHIPS provides a reliable and secure solution for encrypted communication, with the added benefit of natural key rotation and compatibility with different communication systems.
A crucial component of the CHIPS™ workflow is the replacement of automated PKI certificates (the workload identity credential) with an alternate identity credential capable of trust verification. The Machine Alias Identity (MAID) is a workload identity credential assigned when the workload and sidecar are first deployed. Upon initialization, each sidecar receives an initial MAID and then rotates that credential at a specified interval. MAIDs are linked in a chain and are independently verified by Hopr at the start of each session. This verification process helps to prevent impersonation attempts by an Adversary in the Middle, ensuring the integrity and confidentiality of encrypted communication. Sidecars effectively manages the process of MAID rotation, with a recommended interval determined based on the organization's security requirements and threat model. This ensures an optimal balance between security and performance.
XTRA
eXceptionally Tamper Resistant APIs (XTRA) is a cutting-edge product designed to secure communication between two or more endpoints on networks within an organization. XTRA harnesses the power of the patented CHIPS™ technology to ensure encrypted and tamper-resistant communication.
XTRA comprises two sidecar containers: a proxy container and a key server container. The proxy container is built around the Envoy Proxy, an open-source, high-performance edge and service proxy designed for cloud-native applications. Envoy is recognized for its advanced features, such as load balancing, service discovery, and observability. XTRA incorporates a custom WebAssembly (WASM) filter into the Envoy Proxy, which is designed to be compatible with various Envoy Proxy configurations, handling encryption and decryption operations seamlessly.
The key server container utilizes CHIPS™ for seed generation, exposing it as an API accessible on the common network space shared by pods in Kubernetes. This design makes XTRA easy for DevOps Engineers to deploy alongside existing containerized workloads, requiring only minor modifications to the Kubernetes YAML for deployment. Non-Kubernetes deployment mechanisms are also possible with minimal changes, depending on the customer's infrastructure requirements.
During deployment, the CHIPS™ algorithm is configured, and endpoints that are set up with the same algorithm can securely communicate with one another. Only trusted workloads can read encrypted messages, while all other traffic is blocked due to failed decryption, ensuring that the workload (or API endpoint) remains secure. XTRA is designed to minimize latency and performance issues introduced by the encryption and decryption processes. The efficient implementation of the custom WASM filter within the Envoy Proxy ensures that encryption and decryption operations have minimal impact on overall performance. XTRA is designed to scale efficiently alongside containerized workloads, providing a robust and secure communication solution that can grow with your infrastructure.
In addition to the natural key rotation mechanism provided by CHIPS™ , XTRA also handles key management effectively, ensuring secure communication between endpoints without the need for manual intervention. XTRA offers the flexibility to perform encryption and decryption operations at either Layer 4 or Layer 7, depending on customer needs. In Layer 4, every IP packet, including message headers and bodies, is individually encrypted and decrypted. In Layer 7, XTRA encrypts and decrypts message payloads, providing an additional layer of security.
In summary, XTRA is a robust and flexible product that leverages the power of CHIPS™ technology and the advanced features of Envoy Proxy to secure communication between network endpoints. With easy deployment options, customizable configurations, minimal impact on performance, and efficient key management, XTRA provides an unparalleled solution for protecting API communication.
K4C
Kerberos For Cloud (K4C) is an advanced security product that includes and extends the capabilities of XTRA. Building on the foundation of XTRA and CHIPS™ technology, K4C introduces a trusted third-party system (Hopr) to negotiate secure communication between workloads in different organizations without requiring the sharing of each organization's CHIPS™ algorithm (the one used for internal workload protection). K4C performs XTRA communications with internal workloads (it has all the capabilities of XTRA), but it includes the additional 'Kerberos" functionality for public-facing workload connectons.
K4C streamlines the process of secure communication between organizations by leveraging Hopr infrastructure. When one organization wishes to communicate securely with another, it uses a locally-configured CHIPS algorithm to secure communication to Hopr. Hopr, the company behind K4C, XTRA, and CHIPS™, generates a session key for the initiating organization's endpoint to use and stores the key with strong encryption and access control mechanisms, ensuring the security and integrity of the keys.
The receiving organization secures communication to Hopr using its own, potentially different, CHIPS™ algorithm when retrieving the session key. By involving a trusted third party like Hopr in the communication process, K4C provides a seamless experience for users. Organizations using K4C do not need to share any sensitive information with each other, and merely need to register their endpoints with Hopr.
K4C can be easily integrated with existing security systems and protocols within an organization's infrastructure. Its compatibility with various deployment mechanisms and infrastructure requirements, including non-Kubernetes deployments, makes K4C a versatile solution for secure communication.
In summary, Kerberos For Cloud (K4C) is a cutting-edge security product that enhances the capabilities of XTRA by introducing a trusted third-party system for secure communication. With the innovative use of CHIPS technology, strong key management, MAID implementation, and compatibility with various infrastructures, K4C offers a robust solution to prevent unauthorized access and maintain the confidentiality of encrypted communication between organizations.