Hopr named in the 2023 Gartner® Emerging Tech: Security - The Future of Cyber Is AMTD report

We Turn Credentials Into
Moving Targets

Our Automated Moving Target Defense solutions prevent attacks

Abstract graphic of network with Hopr workload identity and key

Automated high frequency rotation (hopping) of workload credentials at the speed and scale of the cloud

Six Steps in our High Frequency Rotation of
Workload Credentials

Abstract graphic icon of a containerized workload with rotating credentials.
Abstract graphic of a workload with a green certificate emblem
1. Establish identity trust
Initial trust of workload identities occurs at initial registration and deployment of a Hopr “sidecar” with the host workload.
hidden in plain sight
2. Use CHIPS™ Technology
CHIPS enables trusted workloads to build identical symmetric keys and hardened tunnels without a key exchange.
Abstract graphic icon of a workload   connected to Hopr algorithm
3. Automate Secrets
Automatically build Identical secrets at two workloads each time they begin a session. The secrets vanish when the session closes.
icon image of a padlock with code symbols
4. Encrypt data-in-transit
Secrets remain within their sidecars and encrypt-decrypt message traffic. Only trusted messages reach a workload.
Abstract icon of a workload in a rotating circle with a star and checkmark
5. Verify workload trust
Workload identity credentials  are verified at each session and message decryption also verifies a trusted sender identity.
abstract graphic of three interconnected workloads
6. Track Workload History
Workload identity credentials rotate frequently based on their history of communication sessions with other workloads

Experts Agree

"Hopr appears to be very powerful"

Global IAM Research Analyst

"This is awesome"

DevOps Engineer

"There is nothing like this in the entire world"

CISO, Global Data Services Provider

"This is very clever. Just what industry needs."

VP Healthcare Analyst, Global IT Research Firm

Features of Hopr's
Codes Hidden In Plain Sight (CHIPS™) Technology

Verifiable workload identities
CHIPS verifies workload identities before the start of each communication session with another workload.
Graphic illustration of two containerized workloads in live operation
End-to-end encryption
CHIPS hardened tunnels between two workloads operating in any cloud on demand.
Abstract graphic icon of a containerized workload with rotating credentials.
Automated rotation
CHIPS automates the high frequency rotation of workload identity and secret credentials in real time and in all clouds.
Abstract graphic of a containerized workload with an envoy-Hopr sidecar
Workload independence
CHIPS increases workload portability and reduces the dependence on cloud services such as IAM and secrets management.
Abstract graphic depicting service operations and future proof security
PKI-free and future-proof
CHIPS does not rely on PKI. This reduces the chance of unexpected service interruption and is quantum resistant.
DevOps-friendly deployment
CHIPS is packaged as a “sidecar” container image and deployed with host workloads using a familiar YAML file.

Click on the image below to watch a 1:31 (min:sec) video
explaining how CHIPS works

Cover title image for Introduction to "Codes Hidden In Plain Sight" technology video

Simple deployment via sidecars

Sidecars are a common software design pattern. Our's includes tens-of-thousands of CHIPS algorithms securely stored within a lightweight container image that is easily deployed with workloads by DevOps engineers during production.
API Threat Protection Icon
Register with Hopr

Company registration with Hopr enables privileged DevOps engineers to receive access to Hopr’s container repository.

Onboarding, training, and technical support of DevOps can be easily completed in a few days to achieve fast time-to-value.

motorcycle with sidecar
Edit a YAML file

DevOps are provided a YAML file template and instructions. They edit a handful of configuration values.

One of these is the selection of a specific CHIPS algorithm communicate securely with other trusted workloads. Multiple algorithm configurations allow micro-segmentation of workloads  into to groups.

app with sidecar
Deploy sidecar and workload

When production runs, the sidecar is pulled from Hopr’s container repository and configured to operate with its host workload. It deploys into the same pod as its host workload and manages all traffic to/from the host workload.

app with sidecar tested
Operate with confidence

Sidecars operate autonomously with each host workload. They encrypt and route egress traffic to intended endpoints. And they listen for ingress messages and decrypt them before routing the data to the host workload.

All traffic from untrusted sources fails decryption and is logged and dropped before it reaches an endpoint.

Watch a recorded demonstration

Click the image to watch a 3:13 (min:sec) recorded demo of Hopr's CHIPS technology protecting data exchanged between a client and a server API with end-to-end encryption (a hardened tunnel).

AMTD Advantages

Alternate to British "Keep Calm and Carry On" poster. Keep Calm and Automate Security
No key exchange occurs
Symmetric keys remain within sidecars where they are built. They are never exposed in a key exchange.
No secrets storage needed
Symmetric keys auto-destruct (vanish) at the close of each communication session and are replaced at the next session.
Attack Prevention
End-to-end encryption ensures data confidentiality and integrity, blocks untrusted traffic from reaching endpoints, and  prevents MITM attacks.
Verified trust
Workload trust is verified at each session by confirming two rotating workload credentials: the identity and secret.
Reduced service interruptions
Sidecars are “PKI-free” and operate without expiration within a customer’s infrastructure reducing the risk of service interruption.
Works across all cloud environments
Works with any containerized workloads without any dependency on cloud vendor services such as IAM and gateways.

Built to convert
and perform

We have been designing and developing high-converting websites since 2015. Our expertise and attention to the details will translate into higher conversion rates and revenue.

Learn how Hopr's AMTD is Zero Trust security

Threat actors operate inside enterprise networks and roam unsecured transport. Security specialists favor an Automated Moving Target Defense for its effectiveness in stopping attacks. Hopr applies a new form of AMTD to achieve true zero trust security.

Technical FAQ

What synchronizes key generation to ensure identical secrets are produced?

The key generators in each sidecars self-synchronize "on demand" at the start of a session.

The sidecar initiating a session with another workload initiates secrets generation through Hopr’s CHIPS protocol and the responding sidecar generates its secret micro-seconds later.

What happens when the identical sidecars do not build identical secrets?

Without a correct secret decryption of a received message will fail. This could happen on rare occasions due to the transitioning of some dynamic elements used in the CHIPS algorithm.

The failure response is to re-attempt the secret generation (sending a second message with a newly generated secret).

Isn’t CHIPS just another form of time-based one-time passwords (TOTP)?

No.  There may be similarities, but CHIPS does not use time as an input value in secrets generation.

Also, the CHIPS secret is ephemeral rather than “one-time.” Because it is ephemeral, another workload can generate the same secret within a short period of time. TOTP cannot do this.

At what layer of the network stack does the end-to-end encryption occur?

Sidecars can be configured for end-to-end encryption at either layer 4 or layer 9 of the ISO network stack. Layer 4 supports network load balancers (NLB) and layer 7 supports application load balancers (ALB).

How much overhead does CHIPS add to the operation of Client-Server API calls?

The overhead added by CHIPS occurs only at the start of a session. CHIPS adds 2 messages to the overall message count for each workload.

If two workloads were to interact in a session of 100 API calls and responses, then the additional overhead for the security provided by CHIPS would be 4%.

How much friction occurs with the adoption of Hopr's solution?

Very little friction occurs. No changes to existing applications or APIs are required.

Hopr’s solutions are implemented in the CI/CD pipeline at runtime. The DevOps work is setting a few configuration values and adding a sidecar image file to the container build process.

How does CHIPS encryption differ from mTLS?

End-to-end encryption with CHIPS terminates at workload endpoints whereas mTLS typically terminates at a server boundary.

CHIPS protects messages over the entire route between two workloads regardless of their location. mTLS may terminate before reaching an endpoint.

CHIPS produces verifiable trust in a workload identity, mTLS provides message encryption only.

CHIPS does not rely on PKI certificates or create additional cryptographic material. mTLS relies on PKI and key storage.

CHIPS is simpler to configure an operate and is not vulnerable to credential expiration and service interruption like mTLS.

Does the CHIPS algorithm provide enough dynamism in the seed for the key?

There is a significant amount of dynamism (variability) in the seed elements used in CHIPS algorithms. It begins with a vast number of URLs where dynamic information can be found, and increases with the many possible locations at an URL.

It increases further because algorithms have many possible structures to alter or modify the dynamic elements. This includes nearly two-dozen variables, each of which has many possible values.

Is the encryption used by CHIPS quantum safe?

CHIPS can use an FIPS 140-2 and -3 cryptographic library. The encryption is AES256 and is quantum resistant. Also, with high frequency rotation, an additional degree of quantum resistance is provided by the short lifetime of symmetric keys, making it more robust and closer to a quantum safe outcome.

How many CHIPS algorithms are there?

The "CHIPS algorithm" is highly variable and unique algorithms can number in the hundreds-of-thousands. The sidecars contain over 25,000 algorithms (Jan 2023) and more are added as they are developed.

Abstract Graphic of workload, XTRA sidecar, and YAML file icons

Try Our Tech

Apply to participate in our free beta program. Experience the simple effectiveness of CHIPS technology with your own workloads and data.

Onboarding is fast, and we provide bespoke, self-paced support.
Sign Up for Free
Gartner, Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense, Lawrence Pingree, Carl Manion, et al.., 28 February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.