Multi Root Trustless Access Protocol (MrZAP) - A Model for Zero Trust Security

BastionZero is built on a unique zero-trust cryptographic protocol for secure remote access. It ensures that the BastionZero platform never becomes a single point of compromise and is so secure, scalable, and invisible that you and your users won't even notice it's there.

Got 6 minutes?

Learn how our security model works from our CEO

The BastionZero token

Every access to an infrastructure target is controlled by a BastionZero OpenPubKey Token. This is a souped-up OIDC token, which has signatures from two independent roots of trust: your Single Sign On Provider (SSO) and BastionZero’s cloud service. Targets grant access only after they cryptographically validate the token against both roots of trust. This way, neither BastionZero’s cloud service, nor your SSO, create a single point of compromise for your infrastructure.

The user's key

Our protocol is completely transparent to the user -- it looks just like SSO + MFA. But under the hood, each time a user (Alice) logs into BastionZero, her client chooses a fresh key that it stores locally on her machine. Her key is then certified (in the BastionZero OpenPubKey token) by the two roots of trust: the BastionZero cloud service and the SSO. Alice then uses her key to sign all her messages. This ensures that our cloud service does not have privileged access to your infrastructure targets and cannot tamper with your users’ connections. 

The authenticated channel

Our cloud service never has  privileged access to your targets. Every message in the MrZAP protocol includes the hash of the previous message and the signature of the dispatching party. This prevents the cloud service from altering messages or injecting its own commands into the user’s connections.

Frequently asked questions

What if BastionZero is compromised?

If BastionZero’s cloud service is compromised, then the adversary’s options are limited. The adversary can drop messages as they traverse the cloud service, but they cannot execute commands or access the target. This follows because the attacker does not have a valid user account with your Identity Provider (SSO). The targets validate each access against the SSO; so if the SSO has not validated the access, the target will not accept the connection!

What if the user’s SSO is compromised?

Targets are still secure as long as the user’s independent MFA to the BastionZero cloud service is not compromised.

What if BastionZero and the user’s SSO are both compromised?

An adversary can compromise the system only if the BastionZero cloud service was compromised along with a valid user SSO. This scenario is improbable because it means the attacker has compromised multiple independent systems: BastionZero’s cloud service AND the SSO. The increase in attack complexity is the desirable consequence of our MrZAP protocol, which uses multiple roots of trust to eliminate single points of compromise.

Who designed and built your zero trust access protocol?

We did. Our team includes multiple PhD cryptographers who have collectively authored over 30 peer-reviewed papers in security and cryptography. You can learn more about our protocol by reading about OpenPubKey or visiting our open-source repositories!

Resources