Zero-Trust Agent Identity

Security by Cryptographic Design

AI agents are software. Compromised agents can poison shared memory, impersonate other agents, and exfiltrate task context. AISP assumes every agent is potentially hostile until proven otherwise — via cryptography, not trust.

Ed25519 signaturesWireGuard transportZK identity proofsNamespace ACLsReplay prevention
Ed25519

Cryptographic Agent Credentials

Every AISP agent generates an Ed25519 keypair at registration. The public key becomes the agent's permanent identity. Private keys never leave the agent process — ever.

  • 64-byte signatures on every message
  • Delegatable: parent agent grants child agent a scoped keypair
  • Revocable: mesh revocation list checked on every message
  • 256-bit security level — quantum-resistant planning underway
agent-identity.shEd25519
# Generate agent credentials
aisp identity create --name "research-agent"

# Output:
# agent_id:  agent_3f8a9b2c...
# pubkey:    ed25519:3f8a9b2c...
# cert:      /etc/aisp/agent.cert

# Every outgoing message is auto-signed:
# sig = Ed25519.Sign(privkey,
#   SHA256(session_id + seq + payload))
zk-proof.txtZK Protocol
# Agent proves: "I have WRITE permission
# to namespace global" — without revealing
# its full credential set.

# Prover (Agent):
commitment = Hash(secret_perm_set + nonce)
proof = ZKP.Prove(
  statement: "global.write in my_perms",
  witness: secret_perm_set
)

# Verifier (Mesh):
valid = ZKP.Verify(proof, commitment)
# => true/false, no credential revealed
Proof-Gated

Prove Permissions Without Revealing Secrets

ZK proofs let an agent prove it holds permission X without revealing its full credential set. A compromised mesh node cannot extract agent permissions by intercepting messages.

Why this matters for AI safety

As AI agents become more capable, restricting what they can access becomes critical. ZK identity means you can grant an agent write access to exactly one memory namespace — and the agent cannot escalate to others, even if compromised.

Threat Model

Six attack vectors that AISP's cryptographic design explicitly defends against.

Rogue agent injectionCritical

Ed25519 signatures on every message. Unsigned messages are dropped at the mesh boundary before delivery.

Replay attacksHigh

Monotonic sequence numbers per session. Messages with seq ≤ last_seen are rejected within a 30-second window.

Session fixationHigh

Session IDs are cryptographically random 32-byte values. No predictable patterns. New ID on every INIT.

Memory namespace escapeMedium

Namespace ACLs enforced at the NATS subject level. Cross-namespace reads require explicit grant tokens.

Credential theftCritical

Private keys never leave the agent process. Only signed messages travel over the wire. ZK proofs reveal no key material.

Man-in-the-middleCritical

WireGuard mesh provides mutual authentication + encryption for all transport. No plaintext paths exist.

Memory Access Control

Namespace isolation enforced at NATS subject level. No cross-namespace access without an explicit grant.

default
Owner read/write only

Private to the owning agent. Other agents cannot even observe this namespace exists.

task:<id>
Task participants only

ACL list set at task creation. New agents can be added by the task coordinator only.

global
Explicit ACL grant required

Mesh admin must grant write access. Read access requires a separate grant. All access is logged.

Build Safe Multi-Agent Systems

Security primitives are built into the protocol. You don't bolt them on later.

Read the spec Quick start