Mitigation ID: SAFE-M-30
Category: Cryptographic Control
Effectiveness: High
Implementation Complexity: Medium
First Published: 2025-09-13
Vector Store Integrity Verification is a cryptographic control that ensures the authenticity and integrity of embeddings stored in vector databases used by MCP servers. This mitigation prevents attackers from inserting or modifying malicious embeddings by requiring cryptographic signatures for all vector store operations.
The control implements a chain of trust where each embedding is cryptographically signed before storage, and signatures are verified before retrieval. This prevents both direct manipulation of the vector store and supply chain attacks that attempt to distribute pre-poisoned embeddings.
- SAFE-T2106: Context Memory Poisoning via Vector Store Contamination
- SAFE-T1001: Tool Poisoning Attack (TPA)
- SAFE-T1201: MCP Rug Pull Attack
- All embeddings must be cryptographically signed before storage
- Signatures use HMAC-SHA256 with a secret key
- Signature includes embedding content, metadata, and timestamp
- Each embedding carries a signature from a trusted authority
- Signatures are verified before any retrieval or processing
- Invalid signatures result in immediate rejection
- Secret keys are stored securely (HSM, key vault, or secure environment)
- Key rotation policies are implemented
- Different keys for different environments (dev, staging, prod)
┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ MCP Server │ │ Vector Store │ │ Key Management │
│ │ │ │ │ │
│ ┌─────────────┐ │ │ ┌──────────────┐ │ │ ┌─────────────┐ │
│ │ Embedding │ │───▶│ │ Signed │ │ │ │ Secret Key │ │
│ │ Generator │ │ │ │ Embeddings │ │ │ │ Storage │ │
│ └─────────────┘ │ │ └──────────────┘ │ │ └─────────────┘ │
│ │ │ │ │ │
│ ┌─────────────┐ │ │ ┌──────────────┐ │ │ │
│ │ Signature │ │◀───│ │ Verification │ │ │ │
│ │ Verifier │ │ │ │ Engine │ │ │ │
│ └─────────────┘ │ │ └──────────────┘ │ │ │
└─────────────────┘ └──────────────────┘ └─────────────────┘
import hmac
import hashlib
import json
from datetime import datetime
from typing import Dict, Any
class EmbeddingSigner:
"""Provides cryptographic signing for embeddings"""
def __init__(self, secret_key: str):
self.secret_key = secret_key.encode()
def sign_embedding(self, embedding_data: Dict[str, Any]) -> str:
"""Sign embedding data"""
canonical_data = json.dumps(embedding_data, sort_keys=True, separators=(',', ':'))
signature = hmac.new(
self.secret_key,
canonical_data.encode(),
hashlib.sha256
).hexdigest()
return signature
def verify_signature(self, embedding_data: Dict[str, Any], signature: str) -> bool:
"""Verify embedding signature"""
expected_signature = self.sign_embedding(embedding_data)
return hmac.compare_digest(expected_signature, signature)class SecureVectorStore:
"""Vector store with integrity verification"""
def __init__(self, signer: EmbeddingSigner):
self.signer = signer
self.embeddings = {}
def store_embedding(self, id: str, embedding_data: Dict[str, Any]) -> bool:
"""Store embedding with signature"""
try:
signature = self.signer.sign_embedding(embedding_data)
signed_data = {
'data': embedding_data,
'signature': signature,
'timestamp': datetime.utcnow().isoformat()
}
self.embeddings[id] = signed_data
return True
except Exception as e:
print(f"Failed to store embedding: {e}")
return False
def retrieve_embedding(self, id: str) -> Dict[str, Any]:
"""Retrieve and verify embedding"""
if id not in self.embeddings:
return None
signed_data = self.embeddings[id]
if not self.signer.verify_signature(signed_data['data'], signed_data['signature']):
raise SecurityException("Invalid signature detected")
return signed_data['data']- Prevents unauthorized modification of embeddings
- Ensures data hasn't been tampered with
- Maintains trust in vector store content
- Blocks direct vector store manipulation
- Prevents supply chain attacks
- Stops embedding injection attacks
- All operations are cryptographically signed
- Timestamps provide temporal integrity
- Enables forensic analysis
- Cryptographic operations add latency
- Key management overhead
- Signature verification on every retrieval
- Secure key storage required
- Key rotation procedures needed
- Backup and recovery planning
- Requires cryptographic libraries
- Secure key management infrastructure
- Updated vector store implementations
- Test signature generation and verification
- Test invalid signature detection
- Test key rotation scenarios
- Test with real vector store operations
- Test performance under load
- Test error handling
- Test signature forgery attempts
- Test key compromise scenarios
- Test timing attacks
- Monitor failed signature verifications
- Alert on suspicious patterns
- Track failure rates
- Monitor key rotation events
- Track signature generation rates
- Alert on unusual patterns
- Monitor signing/verification latency
- Track throughput impact
- Monitor resource usage
- Aligns with cryptographic best practices
- Supports compliance requirements
- Enables audit capabilities
- Ensures data integrity
- Supports data governance
- Enables regulatory compliance
- SAFE-M-31: Embedding Sanitization and Validation
- SAFE-M-32: Vector Store Isolation and Containment
- SAFE-M-33: Continuous Vector Store Monitoring
| Version | Date | Changes | Author |
|---|---|---|---|
| 1.0 | 2025-09-13 | Initial documentation of SAFE-M-30 mitigation | Sachin Keswani |