Skip to main content

ZSP Security

The Zeq Secure Protocol — a multi-stage, classical protect/unprotect pipeline. Each payload is fingerprinted, scanned, authenticated with a Zeqond-stamped HMAC-SHA256 tag, and sealed with AES-256-GCM; unprotect runs six independent verification checks before releasing the plaintext.

App ID zsp Runs at /apps/zsp/ Auth framework sign-in (the /apps/* gate) Chapter Utility

What it does

The management surface for ZSP: wrap a payload, unwrap it, and watch the protocol's live status. protect runs four stages and unprotect verifies six:

  • K_spectral — Shannon entropy H(X) = −Σ p(x) log₂ p(x) over the byte distribution, recorded as a fingerprint that must match on unprotect.
  • HF scan — a windowed first-difference variance check that flags anomalous high-frequency injection.
  • K_temporal — a Zeqond-stamped HMAC-SHA256 tag over zid ‖ zeqond ‖ phase ‖ sha256(payload), keyed from SESSION_SECRET with domain separation. Tags are bounded by a configurable Zeqond tolerance.
  • K_chaos — a deterministic HMAC-SHA256-derived keystream XORed over the payload (bound to the temporal tag), then an AES-256-GCM outer layer.
  • NM27 — a byte-sum conservation check (Σ bytes mod 2³²) that catches single-byte flips.

unprotect recomputes all six checks (temporal, chaos, spectral, tether, auth, nm27) and only returns the payload if every one passes. Other apps (HITE Encryption) can call the same routes — this app is where you drive them directly.

API routes behind it

  • POST /api/zsp/protect — run the four-stage protect pipeline
  • POST /api/zsp/unprotect — reverse + run the six verification checks
  • GET /api/zsp/status — protocol status + live Zeqond clock

(Route file: shared/api-core/src/routes/zsp.ts.)

Reference

  • Source: apps/zeq-dev/public/apps/zsp/
  • Sealed app audit: register row 15 (source scan, backend wiring, browser gate)