The A2A Protocol

Agent-to-Agent Communication Security · Deep-Dive SDD-B13 · Course 2B

45 minutes · The wire format agents speak to each other — and the attack surface it creates

B6 introduced inter-agent trust in the abstract. This deep-dive goes deep on the A2A protocol that makes inter-agent communication real — every B6 attack now targets a concrete protocol artifact: the Agent Card, the Task lifecycle, signed JSON-RPC payloads.

Deep-Dives

The thesis — A2A is a transport protocol, not a security protocol

B6 (abstract)

The message channel is a trust boundary. Sign messages, use nonces, bound blast radius. The protocol was a placeholder.

SDD-B13 (concrete)

The protocol is A2A. The forged message is a message/send JSON-RPC call. The peer is an Agent Card whose authentication field was not verified. The replay is a captured tasks/pushNotification/set.

A2A defines how agents talk; it does not guarantee who is talking or that the message is intact. The security is layered on top — and the places implementers skimp are exactly where the attacker enters.

The protocol, in one slide

ArtifactWhat it isThe attacker's reading
Agent CardJSON at /.well-known/agent.json; name, skills, url, auth schemesPublished reconnaissance. Skills = capability surface; url = attack endpoint; auth = which scheme to attack. Substitutable via DNS.
TaskStateful work object: submitted → working → (input-required | completed | failed | canceled)Hijackable state machine. Cancel = DoS; input-required = any caller steers; pollable = data disclosure.
Messagerole (user/agent) + parts[]; carries natural-language contentUnvalidated content carrier. No "data, not instruction" syntax in natural language. Multi-hop = output-as-input chain.
ArtifactStructured output: name, description, parts[]Multi-hop injection vehicle. Signature proves immediate sender, not taint source.
JSON-RPC methodsmessage/send, tasks/get, tasks/cancel, tasks/pushNotification/setThe attack endpoints. The Agent Card told the attacker where they live.

The Agent Card — published reconnaissance

Read as a builder

Elegant discovery. The orchestrator finds remote agents and dispatches without prior integration. The inter-agent OpenAPI spec.

Read as an attacker

A reconnaissance document the victim published for you. skills[] = capability surface to plan ASI03/05. url = the attack endpoint. authentication = which scheme to attack (and which is absent).

Agent Card integrity. Fetched over HTTPS — transport integrity only. Compromise the server, the DNS, or the caching layer and substitute a malicious card whose url points to the attacker. The orchestrator dispatches to the wrong endpoint. Fix: sign the card; allowlist the url.

The Task lifecycle — a state machine with hijackable transitions

State / transitionThe hijack
tasks/cancelIf not bound to the original caller, any agent that guesses a Task ID cancels a competitor's task (DoS) — or races a re-submission with attacker content.
input-requiredAny caller can supply the "additional input" and steer the task. The input is incorporated; the task proceeds under the original caller's authority.
tasks/getIf Task IDs are enumerable (sequential, timestamp-derived), poll every ID and read every Task's Messages and Artifacts. Data disclosure at protocol granularity.
completedA completed that was not earned. If the caller does not verify the transition, it consumes incomplete or attacker-substituted Artifacts.
Fixes: caller-bound authorization on every state-mutating call; cryptographically random 128-bit Task IDs; state-transition proofs. The protocol gives you the states; it does not prove the transitions were legitimate.

The four core threats — mapped to B6

ThreatA2A targetB6 controlA2A-specific fix
ImpersonationAgent Card (substituted/forged) + stolen credentialAssumed you knew who you talked toSign the card; url allowlist; audience-bound tokens (aud checked)
Task hijackingTask lifecycle (cancel, input, races)Did not address task state machines — new surfaceCaller-bound authz on state-mutating calls; random Task IDs; transition proofs
TamperingJSON-RPC payload at proxy / middleware / MITMHMAC / asymmetric signaturesApplication-layer signatures over canonical-JSON body; verify after TLS termination
ReplayCaptured message/send or webhook registrationNonces + timestamps + freshness windowNonce + timestamp in the JSON-RPC envelope; recipient rejects stale/seen; webhook bound to original caller
B6 named the attacks in the abstract. A2A names the protocol artifacts. Every fix is a B5/B6 control applied at the A2A boundary.

The push-notification hijack — the most A2A-specific attack

The setup

tasks/pushNotification/set lets a caller register a webhook for async task updates. The agent POSTs results to the webhook when the Task completes.

The attack

If Task IDs are enumerable and registration is not bound to the original caller, the attacker re-registers the webhook to their own URL for the victim's Task. The agent sends the completed results to attacker.com/exfil. The victim never receives them.

Data exfiltration at protocol granularity — no content tampering required. The attacker never touches the Task; they redirect where its results are delivered. Fixes: random Task IDs, caller-bound registration, webhook allowlist, signed challenge.

Delegation chains — over-propagation vs attenuated tokens

Over-propagation (anti-pattern)

Orchestrator passes its full credential to the research agent, which passes it to the extraction agent. The extraction agent is compromised → it now holds the orchestrator's full authority and can call any agent.

Attenuated capability tokens

Each hop mints a strictly weaker token: method=message/send, Task=T1, depth=N. The leaf's token authorizes only that method on that Task. Compromise of the leaf is bounded to the Task it was minted for.

This is B5's scoped credential and B6's blast-radius cap, applied inter-agent. Every delegation mints a weaker token; the leaf cannot exceed the Task. The cascade is bounded.

The four orchestration topologies — cascade blast radius

TopologyCompromised nodeCascade blast radius
Orchestrator-workerA workerBounded to that worker's scope — unless the orchestrator passed its full cred to each worker (over-propagation).
Peer-to-peer (mesh)Any nodeEvery peer, eventually. The mesh-wide worst case (B6's warning). Every peer is a trust boundary for every other.
HierarchicalA mid-level supervisorThe supervisor's entire subtree. A compromised leaf is bounded; a compromised root is everything. Risk is depth-dependent.
Market-based (auction)A malicious bidderAny task the malicious bidder wins. The selection is the attack surface. Fix: signed bids, bidder auth, selection audit.
Controls that bound propagation: scoped credentials, capability tokens with attenuation, delegation-depth limits, fan-out caps, external-action allowlists, signed bids.

MCP vs A2A — the two complementary protocols

MCP — agent-to-tool

Agent calls a tool (database, API, filesystem). In-process or local. Framework-level trust. The agent and the tool share a runtime.

A2A — agent-to-agent

Agent calls another agent. Over the network. Protocol-level trust. The agents are independently deployed.

The boundary is an attack surface. An agent registered as an MCP "tool" inherits MCP's weaker trust model while exercising A2A's richer capability surface. Identify which "tools" are actually agents in the SBOM (SDD-B07) and apply A2A-grade authorization regardless of the registration protocol.

Anti-patterns

"We use HTTPS, so the messages are authentic." Transport security guarantees integrity between TLS endpoints, not application endpoints. A proxy or load balancer that terminates TLS breaks it. Cure: application-layer payload signatures over canonical-JSON.
Passing the full credential down a delegation chain. A compromised leaf is a compromised orchestrator. Cure: mint attenuated capability tokens at each hop.
Trusting the Agent Card's authentication field as posture. The card declares what the agent accepts; it does not prove the agent enforces it. Cure: verify the card's signature; treat the field as a claim.
Enumerable Task IDs. Sequential or timestamp-derived IDs let an attacker poll tasks/get across a range and read every Task. Cure: random 128-bit IDs; caller-bound authorization on every read.

What you can now do

  1. Describe the A2A spec — Agent Cards, Task lifecycle, Messages, Artifacts, JSON-RPC methods — as a concrete attack surface.
  2. Explain the A2A trust model: how agents authenticate, how delegation chains propagate (and over-propagate), and where the protocol is silent.
  3. Identify the four core threats (impersonation, task hijacking, tampering, replay) and map each to its B6 control and A2A-specific fix.
  4. Articulate the MCP/A2A relationship and why the boundary between them is an attack surface.
  5. Evaluate the four orchestration topologies for cascade blast radius and design authorization that bounds propagation.
The lab: build two agents that communicate via simulated A2A. Then attack the channel — substitute a malicious Agent Card, replay a push-notification registration, hijack a Task via input-required, exceed the delegation chain's authority. Confirm the B6 defenses defeat each attack at the A2A layer.

B6 introduced inter-agent trust. C4 covers multi-agent orchestration at platform scale.