Signed & unsigned SensePrints
The difference between signed & unsigned SensePrints and how to set the issuers key pairs.
1.1 Introduction
When starting up the server, there is an option for the user to generate a property called the issuers_private_key.
What this does is to generate a private-public key pair based on the secp256k1 cipher. The private key resides within the server, and is then used to sign the SensePrint during the generation of the SensePrint. This SensePrint can then be verified to have originated from the issuer using the public key to check and confirm.
In the online mobile SDK version, since there is a link with the issuer server, the verifier can simply send a request to the issuer server to confirm the validity of a certain SensePrint. However, in the offline mobile SDK version, since there is no link with the issuer server, the offline SDK itself needs to have the corresponding public key in order to verify that the SensePrint has indeed been originated from the correct issuer. This is defined in the ISSUERS_PUBLIC_KEY property of the offline SDK. Hence, in the offline SDK, this property needs to be set IF the server that generates the SensePrint has a issuer's private key set. Otherwise, an error will be thrown when trying to verify the SensePrint using the offline SDK.
1.2 Certificate Authority (CA), FacePKI and issuers_private_key
issuers_private_keyHow does the Certificate Authority (CA), FacePKI and issuers_private_key fit and work together?
What is the link between the Certificate Authority (CA) and the FacePKI?
In SenseCrypt FacePKI, the SenseCrypt server can generate Face Certificates using SensePrints. These Face Certificates enable face-based signing and encryption. However, how does the user of the Face Certificates know that it is actually generated from the legitimate issuer? To do this, the SenseCrypt server also has to be a Certificate Authority. This means that it has to issue a root certificate which verifiers can then use to check that the Face Certificates are from the legitimate source.
What is the link between a Certificate Authority and the
issuers_private_key?As mentioned in the previous section, the CA has to issue the root certificate. This root certificate is essentially a public key that can be used to check if the underlying SensePrint of the Face Certificate is signed from the associated private key (
issuer_private_key).
1.3 Overview of SensePrint Generation and Verification
SensePrint Generation - Online
✅ `issuer_private_key` is used to sign the SP during generation
✅ SP generated, but is not signed.
SensePrint Generation - Offline
❌ `ISSUERS_PUBLIC_KEY` set in the offline SDK will throw an error for SP generation.
✅ SP generated, but is not signed.
SensePrint Verification - Online
✅ The issuer server checks that the SP is signed from the same issuer server
✅ SP verified. However, no verification of source legitimacy.
SensePrint Verification - Offline
✅ The `ISSUERS_PUBLIC_KEY` set in the offline SDK will verify that the SP has been signed by the Issuer.
✅ SP verified. However, no verification of source legitimacy.
Face Certificate Generation - Online
✅ `issuer_private_key` is used to sign the generated Face Certificate.
❌ Not possible. FC needs to be signed.
Face Certificate Generation - Offline
❌ There is no `issuer_private_key` to sign the Face Certificate. Face Certificate will not be generated.
❌ Not possible. FC needs to be signed.
Face Certificate Verification - Online
✅ The issuer server checks that the FC is signed from the same issuer server.
❌ Not possible. FC needs to be signed.
Face Certificate Verification - Offline
❌ Currently FC can't be verified offline.
❌ Not possible. FC needs to be signed.
Last updated