Encrypting Data/Keys using a Face Certificate

How to use Face Certificates to encrypt keys

As a Face Certificate contains a public key, it can be used to encrypt data. To decrypt the encrypted data, a user would, then, need the right private key.

This private key can only be generated from the user's face, SensePrint, and the purpose ID specified to generate the Face Certificate.

Hence, encrypted data can only be decrypted via a live Face Scan of the intended recipient.

The type of key contained in a Face Certificate is an Elliptic Curve Cryptography (ECC) key based on the Secp256k1 (Bitcoin) curve.

It is possible to directly use the public key in the Face Certificate to encrypt any arbitrary size of data using an implementation of Elliptic Curve Integrated Encryption Scheme (ECIES) in a programming language of your choice.

However, to make life simpler, we offer an end-point to encrypt data using a Face Certificate.

As a web end-point, we restrict the size of data to be encrypted. However, we suggest that instead of encrypting a large amount of data directly, the end-point can be used to encrypt a symmetric key or the private key from an assymetric key pair.

Then the encrypted key can be stored side by side with encrypted data. To decrypt the data, the steps needed would be:

  1. Decrypt the encrypted key using a SensePrint, Face, and Purpose ID

  2. Decrypt the encrypted data using the decrypted key in step 1

As before, on the Swagger Docs page authorize using the API Key you setup earlier.

Expand the /encrypt-with-face-certificate section and then click the Try it out button as shown below:

Encrypting a key using a Face Certificate

Upon clicking Try it out you should be able to submit the data as shown below:

{
  "face_certificate_pem": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----",
  "key_base_64": "MHQCAQEEIKu0Xuf...."
}

Please note that when you generate a Face Certificate, it is returned with line breaks. When you submit it through the Swagger Docs page, those line breaks need to be replaced with escaped \n characters to be a proper JSON representation.

However, if you submit the Face Certificate programaitically, you would not need to manually replace the line breaks with \n.

PreviousVerifying a Face CertificateNextFace Decrypting Data/Keys

Last updated

Was this helpful?