Skip to content

Truth Security Protocol

The cryptographic bridge between your data and AI. Named pipes on Windows, domain sockets on Linux. No network. No HTTP. No TLS certificate chain you didn't create.

Why Not Just Use MCP?

MCP (Model Context Protocol) is open and useful for tool integration. But it has no built-in encryption, no mutual authentication, and no kill switch. TSP adds the security layer that AI-to-data communication requires.

The Handshake

Mutual HMAC authentication with domain separation

1

Vault Unlocked

Argon2id derives a pipe key from the user's passphrase. Separate domain from the database encryption key β€” domain separation by design.

2

Pipe Discovery

Bridge discovers the pipe key file and opens a named pipe (Windows) or domain socket (Linux).

3

ServerHello

Server sends a server_nonce (32 random bytes).

4

ClientAuth

Client sends client_nonce + HMAC-SHA256 proof: "TSP-CLIENT-AUTH" || server_nonce || client_nonce

5

ServerAuth

Server responds with HMAC-SHA256 proof with reversed nonce order: "TSP-SERVER-AUTH" || client_nonce || server_nonce β€” domain separation prevents reflection attacks.

6

Session Key Derivation

Both sides independently derive:

session_key = HKDF-SHA256(pipe_key, server_nonce || client_nonce, "TSP-SESSION-v1")

Post-Handshake: Encrypted Frames

Every message is AES-256-GCM encrypted with replay protection

Frame Format

TSP\x01 seq (u64) len (u32) AES-256-GCM ciphertext tag (16B)

Nonce Derivation

Nonces are never transmitted. Derived from session prefix + direction byte + monotonic sequence number. No nonce reuse possible.

Replay Protection

Any frame with seq <= last_seen is rejected. Monotonic sequence numbers prevent replay attacks.

Authenticated Data

AAD: frame header is authenticated but not encrypted. Tampering with any header field invalidates the GCM tag.

Plaintext Format

Decrypted payload is JSON-RPC 2.0. Standard, parseable, debuggable β€” but only if you have the session key.

The Kill Switch

Vault locked = pipe key file deleted = no TSP session = Bridge has zero context = AI is blind.

The user's passphrase is literally the root of the entire trust chain. One action β€” locking the vault β€” cryptographically severs all AI access. Not restricted. Not rate-limited. Impossible.

Protocol Summary

βœ“ Authentication: Mutual HMAC-SHA256 with domain-separated labels
βœ“ Encryption: AES-256-GCM per frame
βœ“ Key Derivation: HKDF-SHA256 from Argon2id-derived pipe key
βœ“ Transport: Named pipes (Win) / Domain sockets (Linux) β€” no network
βœ“ Replay Protection: Monotonic sequence numbers, reject seq <= last_seen
βœ“ Nonces: Derived, never transmitted
βœ“ Kill Switch: Lock vault β†’ pipe key deleted β†’ AI access cryptographically severed

Interested in the details?

We're looking for security researchers and experienced developers to evaluate TVN's architecture.

Join the Waitlist

v0.11.0 Alpha Β· Current as of March 2026