Our Automated Moving Target Defense solutions prevent attacks
Automated high frequency rotation (hopping) of workload credentials at the speed and scale of the cloud
Company registration with Hopr enables privileged DevOps engineers to receive access to Hopr’s container repository.
Onboarding, training, and technical support of DevOps can be easily completed in a few days to achieve fast time-to-value.
DevOps are provided a YAML file template and instructions. They edit a handful of configuration values.
One of these is the selection of a specific CHIPS algorithm communicate securely with other trusted workloads. Multiple algorithm configurations allow micro-segmentation of workloads into to groups.
When production runs, the sidecar is pulled from Hopr’s container repository and configured to operate with its host workload. It deploys into the same pod as its host workload and manages all traffic to/from the host workload.
Sidecars operate autonomously with each host workload. They encrypt and route egress traffic to intended endpoints. And they listen for ingress messages and decrypt them before routing the data to the host workload.
All traffic from untrusted sources fails decryption and is logged and dropped before it reaches an endpoint.
The key generators in each sidecars self-synchronize "on demand" at the start of a session.
The sidecar initiating a session with another workload initiates secrets generation through Hopr’s CHIPS protocol and the responding sidecar generates its secret micro-seconds later.
Without a correct secret decryption of a received message will fail. This could happen on rare occasions due to the transitioning of some dynamic elements used in the CHIPS algorithm.
The failure response is to re-attempt the secret generation (sending a second message with a newly generated secret).
No. There may be similarities, but CHIPS does not use time as an input value in secrets generation.
Also, the CHIPS secret is ephemeral rather than “one-time.” Because it is ephemeral, another workload can generate the same secret within a short period of time. TOTP cannot do this.
Sidecars can be configured for end-to-end encryption at either layer 4 or layer 9 of the ISO network stack. Layer 4 supports network load balancers (NLB) and layer 7 supports application load balancers (ALB).
The overhead added by CHIPS occurs only at the start of a session. CHIPS adds 2 messages to the overall message count for each workload.
If two workloads were to interact in a session of 100 API calls and responses, then the additional overhead for the security provided by CHIPS would be 4%.
Very little friction occurs. No changes to existing applications or APIs are required.
Hopr’s solutions are implemented in the CI/CD pipeline at runtime. The DevOps work is setting a few configuration values and adding a sidecar image file to the container build process.
End-to-end encryption with CHIPS terminates at workload endpoints whereas mTLS typically terminates at a server boundary.
CHIPS protects messages over the entire route between two workloads regardless of their location. mTLS may terminate before reaching an endpoint.
CHIPS produces verifiable trust in a workload identity, mTLS provides message encryption only.
CHIPS does not rely on PKI certificates or create additional cryptographic material. mTLS relies on PKI and key storage.
CHIPS is simpler to configure an operate and is not vulnerable to credential expiration and service interruption like mTLS.
There is a significant amount of dynamism (variability) in the seed elements used in CHIPS algorithms. It begins with a vast number of URLs where dynamic information can be found, and increases with the many possible locations at an URL.
It increases further because algorithms have many possible structures to alter or modify the dynamic elements. This includes nearly two-dozen variables, each of which has many possible values.
CHIPS can use an FIPS 140-2 and -3 cryptographic library. The encryption is AES256 and is quantum resistant. Also, with high frequency rotation, an additional degree of quantum resistance is provided by the short lifetime of symmetric keys, making it more robust and closer to a quantum safe outcome.
The "CHIPS algorithm" is highly variable and unique algorithms can number in the hundreds-of-thousands. The sidecars contain over 25,000 algorithms (Jan 2023) and more are added as they are developed.