OpenNHP is a lightweight, cryptography-powered, open-source toolkit implementing Zero Trust security for infrastructure, applications, and data. It is the reference implementation of the Cloud Security Alliance (CSA) Network-infrastructure Hiding Protocol (NHP) specification, and features two core protocols:
- Network-infrastructure Hiding Protocol (NHP): Conceals server ports, IP addresses, and domain names to protect applications and infrastructure from unauthorized access.
- Data-content Hiding Protocol (DHP): Ensures data security and privacy via encryption and confidential computing, making data "usable but not visible."
Website · Documentation · Live Demo · Discord
The modern internet is a dark forest. Attackers — increasingly backed by LLMs that scan, fingerprint, and exploit at machine speed via Autonomous Vulnerability Exploitation — treat every reachable service as a target. Gartner projects AI-driven cyberattacks will rise rapidly. Traditional defenses authenticate users after the network lets them in, leaving exposed ports, IPs, and domains as a permanent attack surface.
In the AI era, VISIBILITY = VULNERABILITY.
OpenNHP inverts that model: invisible until trusted. Every port, IP, and hostname sits behind a default-deny gate. Access is granted only after a cryptographically signed knock is authenticated and authorized out-of-band. Attackers can't exploit what they can't discover.
NHP is the next step in a line of "hide the service first" designs:
| Generation | Protocol | Limitations |
|---|---|---|
| 1 | Port Knocking | Plaintext, replay-prone |
| 2 | Single Packet Authorization (SPA) | Shared secrets, one-way, typically hides ports only, typically C/C++ |
| 3 | NHP | Modern crypto, bi-directional with status, hides domain + IP + ports, stateless and horizontally scalable, memory-safe Go |
NHP slots in alongside existing IAM, DNS, FIDO, and Zero Trust policy engines rather than replacing them — it extends your stack instead of forking it.
OpenNHP follows a modular design with three core components, inspired by the NIST Zero Trust Architecture:
| Component | Role |
|---|---|
| NHP-Agent | Client that sends encrypted knock requests to gain access |
| NHP-Server | Authenticates and authorizes requests; runs separately and is architecturally decoupled from the protected host |
| NHP-AC | Access controller that manages firewall rules on the protected server |
- Agent sends an encrypted knock (
NHP_KNK) to the Server. - Server validates the knock and sends an operation request (
NHP_AOP) to the AC. - AC opens the firewall and replies (
NHP_ART) to the Server. - Server returns an acknowledgment (
NHP_ACK) with access info to the Agent. - Agent reaches the protected resource through the AC.
OpenNHP ships with two interchangeable cipher suites:
CIPHER_SCHEME_CURVE— Curve25519 + AES-256-GCM + BLAKE2sCIPHER_SCHEME_GMSM— SM2 + SM4-GCM + SM3
Both are driven by the Noise Protocol Framework. An Identity-Based Cryptography (IBC) mode is available via the Key Generation Center (KGC).
For protocol details, deployment models, and cryptographic design, see the documentation.
opennhp/
├── nhp/ # Core protocol library (Go module)
│ ├── core/ # Packet handling, cryptography, Noise Protocol, device management
│ ├── common/ # Shared types and message definitions
│ ├── utils/ # Utility functions
│ ├── plugins/ # Plugin handler interfaces
│ ├── log/ # Logging infrastructure
│ └── etcd/ # Distributed configuration support
└── endpoints/ # Daemon implementations (Go module, depends on nhp)
├── agent/ # NHP-Agent daemon
├── server/ # NHP-Server daemon
├── ac/ # NHP-AC (access controller) daemon
├── db/ # NHP-DB (Data Broker for DHP)
├── kgc/ # Key Generation Center (IBC)
└── relay/ # TCP relay
- Go 1.25.6+
make- Docker and Docker Compose (for the full-stack demo)
# Build all components
make
# Build individual daemons
make agentd # NHP-Agent
make serverd # NHP-Server
make acd # NHP-AC
make db # NHP-DB
make kgc # Key Generation Centercd nhp && go test ./...
cd endpoints && go test ./...cd docker && docker-compose up --buildFollow the Quick Start tutorial to simulate the full authentication workflow in a Docker environment.
We welcome contributions! Please read CONTRIBUTING.md before submitting pull requests.
Note: All commits must be signed with a verified GPG or SSH key.
git commit -S -m "your message"Found a vulnerability? Please follow the responsible-disclosure process in SECURITY.md rather than opening a public issue.
Released under the Apache 2.0 License.
- Email: support@opennhp.org
- Discord: Join our Discord
- Website: https://opennhp.org