Cryptography: Signing, Hashing

Public key cryptography is solid, mature, and well-documented. (Hash codes have been around forever.) This project uses standard open-source implementations and formats.
- The public key is shared openly, like a username.
- The private key is kept secret, like a password.
The key holder can "sign" data using his private key.
The signature can be verified by anyone with the signer’s public key, ensuring:
- the data was genuinely signed by the holder of the corresponding private key and has not been modified.
No usernames or passwords are required.

Strong cryptography is hard to defeat (that's why Bitcoin works).

(The Internet liberated spam and pornography; Cryptography can Liberate Trust. When I'm feelin' melodramatic ;)

Demo: Signature Verification

Click the right arrow to verify the signature
Go back, change or remove any part of this (public key, content, signature), and verify again; the signature will be detected as INVALID.

Who said that?

Unless we know who's key that is, the whole thing is vapid. (A robot can sign, but a robot can't get me to vouch for its humanity;)

Cryptographic Keys are Cryptic

Unlike the usernames and passwords were used to, public/private cryptographic key pair are long and cryptic and can't practically be spoken or memorized. This is why we use QR codes (or occasionally copy/paste) to communicate them.

Sample public key

QR code allows us to communicate public keys using our phones.
JSON format is used when computers communicate with each other.

{

"crv": "Ed25519",

"kty": "OKP",

"x": "rHT5B3q3rBCtNUaSBwT7DxT2Y0Q6fgvmhNKbVhJ_BtQ"

}

Sample public/private key pair

(We don't scan each other's private keys)

{

"crv": "Ed25519",

"kty": "OKP",

"x": "rHT5B3q3rBCtNUaSBwT7DxT2Y0Q6fgvmhNKbVhJ_BtQ",

"d": "_MaCrtWx2jHTOrujWXVeihaBBJHF09QUxzwnk6GGiEQ"

}

They come in Pairs

Lose your private key and your public key is now abandoned. You'll have to get a new pair, can't just replace the private key. (We address this with the "replace" statement; it's complicated.)

Hash codes, Tokens

Consider a hash code of data as a keyless signature. A hash is short regardless of the amount of data. That's why we use them as tokens of keys as well as of statements.

Demo: Token computation (SHA1 hash)

{

"Lorem": "Le Lorem Ipsum est simplement",

"Ipsum est": "la mise en page avant impression."

}

The computed token:

5bbbcd51629054f7f5c79e51b753160065bd36cd

Our use

--Keys

Identity Layer: You have a public/private key pair; the public key is your identity. You vouch for another's identity (and humanity) by signing a statement that includes their identity.
Delegate Keys: You create and give other services disposable public/private key pairs and use your private identity key to sign statements stating that these key pairs represent you on those services.

--Tokens

A key token is used to form the URL for requesting statements signed by that key over our HTTP interface.
Statement tokens
- We chain all statements signed by a key to prevent back-dating in case a key is compromised. The "previous" field of a signed statement is the token of the previous statement signed by that key.
- We identify the last valid statement signed by a key that is revoked by that statement's token.