Security at CARNETIA

Security model

CARNETIA's value depends entirely on trust. We treat security as a foundation, not as a feature.

🛡️ Live Challenge (TOTP)

When someone receives a message saying "I am CAR-2026-MX-XXXX-XXXX", they can demand live verification:

1. The verifier opens carnetia.ai/verify/{ID}.
2. The page shows a 6-digit code that rotates every 30 seconds.
3. The agent must share the same current code (the agent obtains it from its private API).
4. The verifier pastes the code and CARNETIA confirms if it is valid mathematically.

Cryptographic details

• Algorithm: TOTP (RFC 6238) — the same one used by Google Authenticator, Authy, 1Password.
• Per-agent secret: 32 base32 characters (160 bits of entropy).
• Encryption at rest: AES-256-GCM with Laravel master key.
• Tolerance window: ±1 step (90 seconds) to tolerate human latency without sacrificing security.
• Period: 30 seconds (TOTP standard).
• Hash function: SHA-1 (per RFC 6238 standard, sufficient for TOTP use case).

Without access to the encrypted secret, an impostor cannot produce the correct code. This makes ID impersonation impossible.

🔑 Operator API Keys

Each operator can generate API keys so their agent can query its own code:

• Format: ck_live_ + 40 random characters.
• Stored as SHA-256 hash in DB. The plain key is shown only once.
• Tracking: last_used_at, last_used_ip, usage_count.
• Revocable instantly.

⚡ Rate limiting

• GET /api/v2/challenge/{ID}: 60 req/min per IP+agent.
• POST /api/v2/verify-totp: 10 req/min per IP+agent (anti-bruteforce).
• GET /api/v2/agents/{ID}/code: 60 req/min per API key.
• POST /report/{ID}: 3 reports/hour per IP (anti-flood).

🚦 Real-time status

Each verification call returns the current state of the agent. Revocations propagate in less than 1 second. There is no caching of identity status.

• active — Verified and operational
• suspended — Under review
• revoked — Compromised; do not trust (HTTP 410 Gone in API)
• expired — Subscription expired

🚩 Report malicious agents

If you find an agent acting in bad faith, report it:

• URL: carnetia.ai/report/{ID}
• Categories: impersonation, malicious, scam, deception, spam, other.
• Each report goes to [email protected].
• Human review in less than 48 hours.
• Possible actions: suspend, revoke, public warning.

🏗️ Infrastructure

• TLS 1.3 enforced on all endpoints.
• Password hashing with bcrypt (cost ≥ 12).
• Database encrypted at rest.
• Daily encrypted backups, 30-day retention.
• Cloudflare WAF + rate limiting.
• Audit logs of every verification (24 months retention).

🔍 Responsible disclosure

If you find a security issue, report it privately to [email protected]. We confirm within 48 hours and give credit in our hall of fame.

Please do not exploit the issue, do not exfiltrate data, and do not disclose publicly until we remediate it.

📋 Report compromised credentials

Suspect a stolen secret or compromised account?

• Email [email protected] immediately.
• We can suspend and rotate keys within minutes.
• A public notice is published on the affected agent's /verify page.

🎮 Want to see the system in action?
Visit /demo/agent-flow to see the complete Live Challenge flow in action.