Skip to content
bluehash

Cryptographic Infrastructure

Stolen credentials, useless to attackers.

BlueHash binds every credential, OAuth token, session cookie, and decryption capability to specific attested hardware. The replay step that drives 88% of web application breaches fails by design.

Request a technical demoRead the protocol spec

Hardware-rooted · Decentralised · Open protocol · Reproducibly built

The Attack Class

Every credential in use today is a bearer token.

Possession equals access. A stolen password, OAuth token, or session cookie works from any machine on the internet — indistinguishable from the legitimate user. This is the architectural defect underneath every recent supply chain breach: ShinyHunters, Storm-0558, the npm worm campaigns, the Snowflake customer attacks. Phish a credential from one machine, replay it from another, exfiltrate.

22%

of breaches start with stolen credentials

88%

of web app attacks involve them

30%

of breaches involve third parties

46%

of unmanaged devices hold company credentials in infostealer logs

Source · Verizon DBIR 2025

The Primitive

Bind every credential to specific attested hardware.

01

Hardware-rooted.

Keys generated inside TPM 2.0 or Secure Enclave, never extractable. Every operation requires a fresh attestation quote proving device integrity.

02

Non-replayable.

Session tokens bound to device hardware via DBSC. Stolen credentials cannot produce attestation from another machine. The replay step fails.

03

Decentralised.

No central key authority, no vendor key custody. Customer holds all keys, all storage, all trust roots. We ship the agent and protocol.

Architecture

A cryptographic add-on layer over your existing infrastructure.

01 · Peer mesh

Attested clients

TPM 2.0 / SE

Human device

User keys sealed to platform. Fresh quote per operation.

FROST

Admin device

Threshold signatures. No single-key admin authority.

SEV-SNP / TDX / Nitro

AI agent enclave

Confidential compute. Attestable agent identity.

02 · Sigchain

Append-only · Tamper-evident

Log

Append-only signed log

Every membership and policy change cryptographically chained.

Anchor

Public transparency anchor

Periodically anchored to a public log for non-equivocation.

03 · Customer storage

Plaintext never leaves

AES-256-GCM

Ciphertext files

S3 / Drive / SharePoint. Per-file content keys.

OPE / SSE

Encrypted search index

Searchable encryption over content metadata.

Three tiers stacked vertically, with a side panel of pinned trust roots. Top: Peer mesh of human devices, admin devices, and AI agent enclaves. Middle: Append-only sigchain anchored in public transparency. Bottom: Customer-held ciphertext files and encrypted search index.

Real-world Coverage

Every recent supply chain breach driven by credential replay would have failed at the replay step.

The same primitive — a bearer credential phished from one machine and replayed from another — chains together every major breach below. None required a novel exploit.

  • McGraw Hill

    13.5M

    2026

    Salesforce credential replay

  • Pitney Bowes

    8.2M

    2026

    Phished email → Salesforce session replay

  • Carnival

    7.5M

    2026

    Compromised user session → Salesforce

  • ADT

    5.5M

    2026

    Vishing → Okta SSO replay

  • Amtrak

    2.1M

    2026

    Infostealer → multiple SaaS

  • Udemy

    1.4M

    2026

    Vishing → Salesforce

  • Vimeo

    119k

    2026

    Third-party OAuth pivot

  • Ticketmaster (Snowflake)

    560M

    2024

    Stolen Snowflake credentials replayed without MFA

  • AT&T (Snowflake)

    109M

    2024

    Snowflake account credentials replayed

  • Change Healthcare

    100M+

    2024

    Citrix portal credentials replayed (no MFA) → BlackCat

  • Santander (Snowflake)

    30M

    2024

    Snowflake credential replay

  • Microsoft Midnight Blizzard

    Exec mailboxes

    2024

    Password spray + OAuth app token replay

  • T-Mobile API

    37M

    2023

    Leaked API token replayed against customer-data API

  • 23andMe

    6.9M

    2023

    Credential stuffing → DNA-relative pivot

  • MGM Resorts

    $100M loss

    2023

    Scattered Spider vishing → Okta superuser session replay

  • Microsoft Storm-0558

    25 orgs

    2023

    Forged MSA token replayed against M365 / Outlook

  • Okta Support → 1Password / Cloudflare / BeyondTrust

    134 admin sessions

    2023

    Service-account token replay

  • Cloudflare (Thanksgiving)

    Atlassian internal

    2023

    Stale Okta service token replayed

  • LastPass

    30M+ vaults

    2022

    Engineer credentials replayed → encrypted vaults

  • Twilio

    163 customers

    2022

    Smishing → portal credential replay

  • Uber

    Internal SSO

    2022

    Stealer credentials + MFA-fatigue → SSO replay

Every chain above breaks at the same step: a bearer credential, valid from any machine on the internet, presented from one the legitimate user has never touched. Hardware attestation makes that presentation impossible.

Deployment

Add-on layer. No migration. No vendor lock-in.

You keep

Your stack, untouched

  • 01SharePoint
  • 02Drive
  • 03S3
  • 04Okta
  • 05Entra
  • 06Office
  • 07Slack
  • 08Teams
  • 09Your existing security stack

We ship

Open-source agent and protocol

  • 01Endpoint agent (Windows, macOS, Linux)
  • 02Agent SDK
  • 03Storage adapters
  • 04Hardware vendor root certificates
  • 05Reproducibly built · sigstore-signed

We do not run a KMS, an attestation verifier, or any service that touches your plaintext.

Design partners

Architectural credential security, finally deployable.

Looking for design partners. Specific teams in scaleups and security-conscious enterprises with active credential-replay exposure.

Request a technical demoRead the protocol spec