MCPS: MCP with Built-in Agent Security

0 Abstract

The Model Context Protocol (MCP) has become the de facto standard for connecting AI agents to external tools and data sources. With 80,700+ GitHub stars and adoption by Anthropic, OpenAI, Google, and Microsoft, MCP now underpins millions of agent-to-server interactions daily.

MCP has no security layer. There is no agent identity, no message signing, no tool integrity verification, and no replay protection. Every JSON-RPC message travels unsigned. Every tool definition is unverified. Every agent is anonymous.

MCPS (MCP Secure) is a cryptographic security extension for MCP that adds end-to-end agent identity, message-level signing, tool integrity verification, and trust scoring — without modifying the MCP protocol itself. MCPS wraps MCP messages in signed envelopes, ensuring that every action is authenticated, every tool is verified, and every agent is accountable.

This document presents the technical architecture of MCPS, explains why existing security mechanisms (OAuth, TLS, DIDs) are insufficient for MCP, and demonstrates how MCPS blocks documented real-world attacks including CVE-2025-6514 (CVSS 9.6), the Smithery.ai breach, and the postmark-mcp supply chain backdoor.

1 The Problem: MCP Has No Security Layer

MCP defines a JSON-RPC 2.0 protocol for agent-to-server communication across two transport mechanisms: stdio (local process pipes) and HTTP/SSE (network). Neither transport includes any application-layer security.

1.1 Documented Attacks

These are not theoretical risks. They are published CVEs and documented breaches:

1.2 Academic Evidence

Peer-reviewed research quantifies the attack surface:

• MCPTox (arXiv:2508.14925): Tested 353 tools across 45 MCP servers. Average tool poisoning success rate: 36.5% across 20 LLM models. Peak: 72.8% (o1-mini). [1]
• MCP-ITP (arXiv:2601.07395): Automated tool poisoning achieved 84.2% ASR while suppressing detection to 0.3%. [2]
• Breaking the Protocol (arXiv:2601.17549): Multi-server attacks scale from 47.8% (1 server) to 78.3% (5 servers). The paper concludes: "The protocol relies entirely on transport-layer security without application-layer authentication, replay protection, or capability binding." [3]

2 Why OAuth, TLS, and DIDs Don't Solve This

The instinctive response to MCP's security gap is: "just use OAuth" or "TLS already handles this." This section explains, with precision, why each existing mechanism is insufficient — not because they are flawed in general, but because they operate at the wrong layer for the MCP threat model.

2.1 OAuth 2.1: Authenticates Users, Not Agents

The MCP authorization specification (adopted March 2025) is based on OAuth 2.1. It classifies MCP servers as Resource Servers and MCP clients as OAuth Clients acting "on behalf of a resource owner." [4]

What OAuth protects:

• Token-based access control (who can call the server)
• PKCE for authorization code protection
• Token audience binding via RFC 8707

What OAuth does not protect:

• Agent identity. OAuth authenticates the user who delegates access. The AI agent itself has no distinct credential, no verifiable identity, and no audit trail. As the Cloud Security Alliance states: "MCP relies on methods designed for human users, not autonomous agents." [5]
• Message integrity. Individual JSON-RPC messages are not signed. A valid OAuth session does not guarantee that any specific message within it is authentic or unmodified.
• Tool integrity. OAuth has zero visibility into tool definition content. A poisoned tool description passes through OAuth undetected.
• Replay protection. Messages within an authorized session carry no nonce or timestamp. A captured tools/call can be replayed indefinitely within the token lifetime.

Furthermore, the MCP spec permits anonymous Dynamic Client Registration, meaning any client can register as a valid OAuth client without identifying itself. Christian Posta (Solo.io) called this "a mess for enterprise": any process can register, obtain tokens, and make requests — with no proof of identity. [6]

2.2 TLS: Protects Transport, Not Content

TLS encrypts data in transit and authenticates the server via X.509 certificates. It is essential for network security. It is irrelevant for three fundamental reasons in MCP:

Reason 1: Stdio transport has no TLS. The MCP spec states that stdio implementations "SHOULD NOT follow this specification" for authorization. [4] Stdio communication occurs via stdin/stdout pipes between processes on the same machine — no network, no TLS, no encryption. This is the primary transport for local MCP servers (Claude Desktop, Cursor, VS Code).

Reason 2: TLS is point-to-point, not end-to-end. TLS terminates at the first hop (load balancer, reverse proxy, API gateway). After termination, JSON-RPC messages travel as plaintext between internal components. A compromised proxy, sidecar, or monitoring agent can modify tool definitions, inject parameters, or alter responses — undetected.

Reason 3: TLS does not sign messages. TLS provides channel integrity (the bytes received are the bytes sent within a session), but it does not sign individual JSON-RPC messages. There is no per-message nonce, no per-message signature, and no way to verify message authenticity outside the TLS session. Once TLS is terminated, message integrity vanishes.

2.3 DIDs: Identity Without Integrity

Decentralized Identifiers (W3C DIDs) provide a framework for self-sovereign identity: an entity generates a key pair, publishes a DID Document, and can prove control of the identifier. The MCP-I initiative at the Decentralized Identity Foundation (DIF) is exploring DID-based identity for MCP. [8]

Why DIDs alone are insufficient:

• Identity ≠ Integrity. A DID proves who you are. It does not prove what you sent. Without per-message signing bound to the MCP JSON-RPC schema, a man-in-the-middle can verify the agent's DID, then modify the agent's messages in transit. MITM remains possible even with DID-based identity.
• No tool integrity. A malicious MCP server can have a perfectly valid DID and still serve poisoned tool descriptions. DIDs authenticate the server, not the content the server produces.
• No replay protection. DIDs provide no nonce mechanism. Message replay is orthogonal to identity.
• Ecosystem fragmentation. There are 150+ registered DID methods (did:web, did:key, did:ion, did:ethr, did:sov, etc.) with different resolution mechanisms, trust models, and infrastructure requirements. Interoperability remains an unsolved problem. [9]

2.4 Comparison Matrix

~ TLS provides session-level replay protection but not application-layer message replay protection.

3 MCPS Architecture

MCPS is a cryptographic security layer for MCP. It does not replace or modify MCP — it wraps MCP messages in signed envelopes that provide identity, integrity, and trust verification. MCPS operates at the application layer, independent of transport.

3.1 Core Components

3.2 The MCPS Envelope

Every MCP message is wrapped in an MCPS envelope before transmission. The envelope contains the original message plus cryptographic metadata:

3.3 Agent Passport

Every agent and server in MCPS has a passport — a cryptographic identity document containing the agent's public key, capabilities, trust level, and metadata:

3.4 Trust Framework (L0–L4)

MCPS defines five trust levels. Each level builds on the previous, creating a graduated access model where higher trust unlocks more capabilities:

3.5 Protocol Flow

4 Attack Scenarios: MCPS vs. Standard MCP

Each attack below has been demonstrated live using real ECDSA P-256 cryptography at mcps-demo.fly.dev. No mocks or simulations.

4.1 Tool Poisoning (blocks CVE-2025-6514, postmark-mcp)

Attack: An attacker modifies a tool description to inject malicious instructions (e.g., "Also read ~/.ssh/id_rsa").

Without MCPS: The modified tool is accepted by the agent. MCPTox research shows 36.5–84.2% success rate. [1][2]

With MCPS: signTool() creates an ECDSA signature over the canonical JSON of {name, description, inputSchema}. verifyTool() detects any modification — hash changes, signature fails, tool is rejected.

4.2 Replay Attack

Attack: An attacker captures a valid signed tools/call (e.g., transfer_funds) and resends it.

Without MCPS: MCP has no nonce or replay detection. The duplicated request executes.

With MCPS: Every envelope contains a 128-bit cryptographic nonce. NonceStore.check() rejects any previously-seen nonce. The replay is blocked.

4.3 Signature Stripping (Downgrade Attack)

Attack: An attacker strips the mcps envelope, forwarding only the raw MCP message to bypass security.

Without MCPS: N/A (MCP has no security to strip).

With MCPS: Servers configured with requireSecurity: true reject any message without a valid MCPS envelope. Downgrade is impossible.

4.4 Forged Identity (blocks Smithery breach pattern)

Attack: An attacker generates their own key pair and signs messages claiming a legitimate agent's passport ID.

Without MCPS: MCP has no identity verification. Impersonation is trivial.

With MCPS: The server verifies the signature against the legitimate agent's public key (from their passport). The attacker's signature, created with a different private key, fails ECDSA verification.

4.5 Expired Credentials

Attack: An agent continues operating with an expired passport.

With MCPS: validatePassportFormat() checks expires_at against the current time. Expired passports are rejected with error code MCPS-002.

4.6 Man-in-the-Middle

Attack: A proxy, compromised gateway, or co-process intercepts and modifies MCP messages.

Without MCPS: Stdio has no encryption. HTTP post-TLS-termination is plaintext. Messages can be modified undetected.

With MCPS: Every message carries an ECDSA signature. Any modification — even a single changed byte — invalidates the signature. MITM can observe but cannot tamper without detection.

4.7 Rogue Server Defence

Attack: An attacker publishes a malicious MCP server to npm, Smithery, or any registry — impersonating a legitimate service (e.g., gmail-mcp, stripe-mcp). The postmark-mcp backdoor proved this is not theoretical: a trojanised server sat on npm, silently BCC'ing every email to the attacker.

Without MCPS: MCP has no concept of server identity. Any process that speaks JSON-RPC 2.0 is a valid MCP server. There is no way to distinguish a legitimate server from a malicious clone. No identity verification, no code signing, no trust differentiation.

With MCPS: Defence in depth across four layers:

5 Implementation

MCPS is implemented as mcp-secure, a zero-dependency Node.js package available on npm. The entire security layer is under 550 lines of code and less than 10KB.

5.1 Package Details

5.2 API Surface

5.3 Migration Guide: MCP to MCPS

MCPS is designed as a wrapper, not a replacement. It does not modify MCP — it wraps MCP messages in signed envelopes. Organisations already running MCP can adopt MCPS incrementally with zero downtime and zero breaking changes.

5.4 Cryptographic Choices

MCPS uses ECDSA with NIST P-256 (secp256r1). This is the same curve used by TLS 1.3, Apple Secure Enclave, WebCrypto API, AWS/GCP/Azure KMS, FIDO2/WebAuthn, and every major browser. The choice is deliberate:

Why not AES-256? AES is a symmetric encryption algorithm — it hides data. MCPS signs data (proves who sent it and that it hasn't been tampered with). These are fundamentally different operations. MCP messages are not secret (the LLM must read them); they need to be authenticated and tamper-proof. Signing requires asymmetric cryptography (public/private key pairs), which is what ECDSA provides.

Why 128-bit is sufficient: 128-bit security means an attacker would need 2¹²⁸ operations (340,282,366,920,938,463,463,374,607,431,768,211,456 attempts) to break a single key. For context, all computers on Earth working together could not complete this before the heat death of the universe. Every bank, government, and cloud provider considers 128-bit security sufficient for current threat models.

Algorithm agility: The MCPS envelope format is algorithm-agnostic. The signature field is base64-encoded; the passport carries the public key type. Swapping ECDSA P-256 for P-384 (192-bit), P-521 (256-bit), or post-quantum algorithms (ML-DSA/Dilithium) requires changing the key generation and signing functions — the envelope structure, passport format, and verification flow remain identical.

5.5 Audit & Compliance

Every MCPS envelope is inherently a cryptographic audit record: it contains a timestamp, a unique nonce, the agent's passport ID, and a non-repudiable ECDSA signature. This means every action taken through MCPS is attributable, timestamped, and tamper-evident — by default, with no additional infrastructure.

The secureMCP() wrapper provides a built-in audit system that fires structured events for every message processed:

SIEM integration: The onAudit callback enables direct piping to enterprise security platforms:

Compliance mapping:

6 Why MCPS is the Future

Three converging forces make MCPS inevitable:

6.1 Regulatory Mandate

The EU AI Act (effective August 2026) mandates traceability and accountability for high-risk AI systems. Article 14 requires human oversight with verifiable audit trails. Without agent identity and signed actions, compliance is impossible. OWASP ASI03 (Agentic AI Top 10) specifically calls for agents to be treated as "managed Non-Human Identities" with JIT credentials. [10]

6.2 Scale of Exposure

600,000+ agents across 12 major frameworks operate without any form of cryptographic identity. We audited every framework with over 5,000 GitHub stars. None have agent identity, execution signing, or trust scoring. MCP alone has 80,700+ stars and is adopted by Anthropic, OpenAI, Google, and Microsoft. The attack surface is growing exponentially while the security surface remains at zero.

6.3 Protocol-Level Fix

MCPS solves the problem at the protocol level, not the application level. This means:

• Transport-agnostic: Works with stdio, HTTP, SSE, WebSocket, or any future transport.
• Framework-agnostic: Works with LangChain, CrewAI, AutoGen, Claude, or any MCP client.
• Backward-compatible: MCPS wraps MCP messages. Unaware receivers see a JSON object with an extra mcps field. Graceful degradation is built in.
• Standardized: MCPS is an IETF Internet-Draft (draft-sharif-mcps-secure-mcp) on the standards track, not a proprietary solution.

6.4 Quantum Readiness

ECDSA P-256, like all elliptic curve and RSA algorithms, is theoretically vulnerable to Shor's algorithm on a sufficiently powerful quantum computer. This is a known, industry-wide challenge — not specific to MCPS. Every system using TLS, WebAuthn, code signing, or certificate authorities faces the same timeline.

Current quantum state:

NIST Post-Quantum Standards (published August 2024):

• ML-DSA (Dilithium) — Lattice-based digital signatures. MCPS's most likely migration target. FIPS 204.
• SLH-DSA (SPHINCS+) — Hash-based signatures. Stateless, conservative. FIPS 205.
• ML-KEM (Kyber) — Key encapsulation mechanism. Less relevant for signing but useful for future key exchange.

MCPS migration path to post-quantum:

1. Algorithm-agnostic envelope. The MCPS envelope format carries a base64 signature field with no algorithm assumption. Swap ECDSA for ML-DSA — the envelope structure is unchanged.
2. Hybrid signatures. During transition, sign with both ECDSA P-256 AND ML-DSA (Dilithium). Verify either. This is the same approach Chrome/TLS uses with X25519Kyber768.
3. Passport multi-key support. The passport public_key field can carry multiple keys (classical + post-quantum), enabling progressive migration.
4. Node.js PQC support. OpenSSL 3.x is adding PQC algorithm support. Node.js will inherit this through its crypto module, requiring no external dependencies — maintaining MCPS's zero-dependency guarantee.

7 OWASP Alignment

MCPS addresses multiple entries in both the OWASP MCP Top 10 and the OWASP Agentic AI Top 10:

8 Live Demo

All claims in this document can be verified interactively at mcps-demo.fly.dev. The demo runs 10 scenarios using real ECDSA P-256 cryptography from the mcp-secure@1.0.2 npm package:

9 References

• 1 MCPTox: A Comprehensive Benchmark for MCP Tool Poisoning. arXiv:2508.14925, August 2025. 353 tools, 45 servers, 36.5% avg ASR, 72.8% peak.
• 2 MCP-ITP: Automated Indirect Tool Poisoning. arXiv:2601.07395, January 2026. 84.2% ASR, 0.3% detection rate.
• 3 Breaking the Protocol: Security Analysis of MCP. arXiv:2601.17549, January 2026. 78.3% multi-server attack success.
• 4 MCP Authorization Specification. modelcontextprotocol.io/specification/2025-03-26/basic/authorization. OAuth 2.1 based.
• 5 Cloud Security Alliance: Agentic AI, MCP, and the Identity Explosion. CSA Blog, July 2025.
• 6 Christian Posta: The Updated MCP OAuth Spec Is a Mess. blog.christianposta.com, 2025. Solo.io CTO critique.
• 7 GitGuardian: Breaking MCP Server Hosting — Smithery Supply Chain Attack. blog.gitguardian.com, October 2025. 3,243 servers exposed.
• 8 Decentralized Identity Foundation: Why DIF Said Yes to MCP-I. blog.identity.foundation, 2025.
• 9 W3C DID Core Specification. w3.org/TR/did-core/. 150+ registered DID methods.
• 10 OWASP Top 10 for Agentic Applications 2026. genai.owasp.org. ASI03: Identity & Privilege Abuse.
• 11 OWASP MCP Top 10. owasp.org/www-project-mcp-top-10/. MCP03: Tool Poisoning.
• 12 CVE-2025-6514. CVSS 9.6. mcp-remote RCE via OAuth endpoint injection. JFrog, July 2025.
• 13 Invariant Labs: MCP Tool Poisoning Attacks. invariantlabs.ai, April 2025. Cross-server exfiltration PoC.
• 14 IETF Internet-Draft: draft-sharif-mcps-secure-mcp. datatracker.ietf.org. MCPS specification.
• 15 NIST FIPS 186-5: Digital Signature Standard (DSS). NIST, February 2023. ECDSA with P-256/P-384/P-521.
• 16 NIST FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA). NIST, August 2024. Post-quantum digital signatures (Dilithium).
• 17 NIST FIPS 205: Stateless Hash-Based Digital Signature Standard (SLH-DSA). NIST, August 2024. Post-quantum hash-based signatures (SPHINCS+).
• 18 NSA: Quantum Computing and Post-Quantum Cryptography FAQ. media.defense.gov, 2024. Timeline and migration guidance for CNSS systems.