Security

Trust you can prove.

Mysterion is built for content provenance you can verify, not just assert. Security isn't a feature bolted on — it's the product.

Post-quantum by default

Mysterion runs post-quantum cryptography end to end, aligned with NIST's finalized standards and CNSA 2.0 guidance.

  • Hybrid post-quantum key exchange (ML-KEM-768, FIPS 203) — on both the client and the edge, not just at the perimeter.
  • Post-quantum content signatures (ML-DSA-87, FIPS 204).
  • Hash-based, algorithm-diverse timestamping (SLH-DSA, FIPS 205) — so a future break in one cryptographic family can't undermine the timestamp chain.
  • TLS 1.3 only, with AES-256-GCM throughout.

Provenance you can verify independently

Every signed item carries a cryptographic chain of custody — and you don't have to take our word for any of it.

  • BLAKE3 content hashing is the authoritative gate. The full file either matches its signature or it doesn't.
  • A trust chain binds each capture to its creator and to the Mysterion root of trust.
  • RFC 3161 timestamps run on every signing event, on infrastructure kept separate from the signing platform, and can be verified end to end with stock OpenSSL — no access to Mysterion required.
  • A secondary steganographic identity layer supports tamper localization.

Authentication that follows NIST SP 800-63B guidance

  • Argon2id password hashing, with modern normalization and length requirements.
  • Mandatory time-based two-factor authentication (TOTP).
  • Breach screening against known-compromised password corpora at registration.
  • Authenticated transport and mail: TLS in transit; DKIM, SPF, and DMARC on all platform mail.

Operational posture

  • Secrets and signing keys are held in a hardened, highly-available secrets platform and are never written to disk in the application path.
  • Append-only, tamper-evident audit logging.
  • Reproducible builds with published content hashes per release, so anyone can confirm that what they run matches what we published.
  • Continuous edge protection and per-endpoint rate limiting.
  • Encrypted, off-site backups.

Principles

The hash is the gate. A watermark or visible mark is a passive claim; the cryptographic hash over the full file is what actually decides pass or fail.

Trust is proven, not presumed. We don't trust content because it looks right or carries a marking — trust flows from the cryptographic chain.

Timestamping is a separate trust boundary. Compromising the platform doesn't let anyone forge or backdate a timestamp.

Evaluating Mysterion for your organization?

Get in Touch

Mysterion follows the guidance of NIST SP 800-63B, FIPS 203, 204, and 205, and CNSA 2.0. These references describe our engineering approach; they are not claims of formal certification.