Mitigation ID: SAFE-M-2
Category: Cryptographic Control
Effectiveness: High
Implementation Complexity: Medium
First Published: 2025-01-03
Cryptographic Integrity ensures that MCP tool descriptions cannot be tampered with by implementing digital signatures and hash verification. Tool descriptions are signed by trusted authorities, and clients verify these signatures before loading any tool, preventing unauthorized modifications at any point in the supply chain.
- SAFE-T1001: Tool Poisoning Attack (TPA)
- SAFE-T1002: Supply Chain Compromise
- SAFE-T1003: Malicious MCP-Server Distribution
Tool Developer Certificate Authority Tool Registry
│ │ │
├─1. Create tool description──────────►│ │
│ │ │
├─2. Request signing cert─────────────►│ │
│ │ │
│◄─3. Issue certificate────────────────┤ │
│ │ │
├─4. Sign tool description─────────────────────────────────────────►│
│ (description + signature) │ │
│ │ │
Client
│
├─5. Download tool──────────┤
│ │
├─6. Verify signature────────┤
│ │
└─7. Load if valid
- Use X.509 certificates or similar PKI
- Implement certificate revocation lists (CRL)
- Support key rotation procedures
{
"tool": {
"name": "file_reader",
"description": "Reads files from the filesystem",
"version": "1.0.0",
"inputSchema": { ... }
},
"signature": {
"algorithm": "RS256",
"keyId": "dev-key-2025-01",
"signature": "base64-encoded-signature",
"timestamp": "2025-01-03T10:00:00Z"
}
}def verify_tool_description(tool_data):
# Extract components
tool_content = tool_data['tool']
signature_data = tool_data['signature']
# Verify timestamp is recent
if not verify_timestamp(signature_data['timestamp']):
raise SecurityError("Signature timestamp expired")
# Get public key for keyId
public_key = get_trusted_key(signature_data['keyId'])
if not public_key:
raise SecurityError("Unknown signing key")
# Verify signature
canonical_content = canonicalize_json(tool_content)
if not verify_signature(
canonical_content,
signature_data['signature'],
public_key,
signature_data['algorithm']
):
raise SecurityError("Invalid signature")
return tool_content- Deploy Certificate Authority (CA) or use existing PKI
- Create key management procedures
- Set up secure key storage (HSM recommended)
- Implement signing tools for developers
- Create CI/CD integration for automated signing
- Establish code review before signing
- Update MCP clients to require signatures
- Implement signature verification
- Add signature status to UI
- Log all signature verifications
- Alert on verification failures
- Track certificate usage
- Use hardware security modules (HSM) for private keys
- Implement certificate pinning for critical tools
- Verify entire tool schema, not just descriptions
- Include version information in signed content
- Use timestamp servers to prove signing time
- Store private keys in version control
- Use self-signed certificates in production
- Skip timestamp verification
- Allow signature downgrade attacks
- Trust expired certificates
- Tamper Detection: Modify signed content and verify rejection
- Replay Prevention: Attempt to use old signatures
- Key Compromise: Test certificate revocation
- Downgrade Attacks: Try to bypass signature requirements
- Performance: Measure signature verification overhead
- Availability: Test behavior when CA is unreachable
- Compatibility: Ensure backward compatibility
- NIST Special Publication 800-57: Key Management
- NIST SP 800-204D: Software Supply Chain Security in DevSecOps
- in-toto: Framework for Supply Chain Integrity
- DSSE: Dead Simple Signing Envelope
- PASETO: Platform-Agnostic Security Tokens
- COSE: CBOR Object Signing and Encryption - RFC 9052
- RFC 5652: Cryptographic Message Syntax (CMS)
- JSON Web Signature (JWS) - RFC 7515
- MCP Security Best Practices
| Version | Date | Changes | Author |
|---|---|---|---|
| 1.0 | 2025-01-03 | Initial documentation | Frederick Kautz |