MCP has no per-message authentication or integrity verification layer #32
Description
Summary
MCP provides a powerful tool-calling protocol for AI agents, but it has no cryptographic identity or message integrity layer. There is no mechanism to verify which agent issued a request, whether a tool definition has been tampered with, or whether a message is a replay.
This is a protocol-level gap that affects all MCP adopters and implementations.
The gap
- No agent identity: Any client connecting over MCP can call any tool. There is no passport or certificate mechanism.
- No message signing: JSON-RPC messages are sent unsigned. Parameters can be modified in transit.
- No tool integrity: Tool definitions (
tools/list) are not signed by their author. Tool poisoning (OWASP MCP03) allows an attacker to modify tool descriptions to change agent behavior. - No replay protection: The same message can be replayed indefinitely. No nonce, no timestamp window.
OWASP has published an MCP Top 10 covering these risks. CVEs with CVSS 9.6 have been filed against MCP implementations.
Existing work
An IETF Internet-Draft has been published to address this at the protocol level:
- IETF Datatracker: https://datatracker.ietf.org/doc/draft-sharif-mcps-secure-mcp/
- Reference implementations: npm / PyPI (zero dependencies)
- Interactive demo: https://agentsign.dev/playground
The spec (MCPS) adds agent passports (ECDSA P-256), per-message signing, tool definition signatures, and nonce-based replay protection as an envelope around existing JSON-RPC -- fully backward-compatible with current MCP.
Happy to discuss technical details or integration approaches.