Public Key Cryptography, Digital Signatures

• Keys are created in pairs:
  • Public key: shared openly (like a username)
  • Private key: kept secret (like a password).
  • The key holder can "sign" data using his private key.
  • The signature can be verified by anyone with the signer’s public key, ensuring that the data was genuinely signed by the holder of the corresponding private key and has not been modified.
• Solid, mature, and well-documented technology. This project uses standard open-source implementations and formats.

Demo: Signature Verification

Crypto Keys are Cryptic

Unlike the usernames and passwords we're used to, public/private cryptographic key pairs are long and cryptic and can't practically be spoken or memorized. This is why we use QR codes (or occasionally copy/paste) to communicate them.

• QR codes allow us to communicate public keys using our phones.
• JSON format is used when computers communicate with each other.

Sample public key

{
  "crv": "Ed25519",
  "kty": "OKP",
  "x": "rHT5B3q3rBCtNUaSBwT7DxT2Y0Q6fgvmhNKbVhJ_BtQ"
}
        

Sample public/private key pair

{
  "crv": "Ed25519",
  "kty": "OKP",
  "x": "rHT5B3q3rBCtNUaSBwT7DxT2Y0Q6fgvmhNKbVhJ_BtQ",
  "d": "_MaCrtWx2jHTOrujWXVeihaBBJHF09QUxzwnk6GGiEQ"
}
        

They come in Pairs

Lose your private key and your public key is now abandoned. You'll have to get a new key pair, can't just replace the private key. (We address this with the "replace" statement.)

Hash codes, Tokens

Consider a hash code of data as a keyless signature. A hash is short regardless of the amount of data. That's why we use them as tokens for keys as well as of statements.
We hash keys to locate where their statements can be retrieved.
We hash statements to identify them uniquely when forming a chain of statements to prevent backdating and to identify the last valid statement signed by a revoked key.