Key Pair Usage
In Raidiam's Public Key Infrastructure, key pairs are not one-size-fits-all; they are tailored for specific functions such as encryption and signing.
You can use key pairs for three purposes:
Server-Client Communication with mTLS Certificates
Even though certificates are not keys per se, they contain the subject's public key and are signed with Certificate Authoritie's private key.
Having the subject's public key within a certificate is crucial for asymmetric encryption or digital signatures, enabling clients to encrypt messages that only the server can decrypt or verify messages signed by the server.
Certificates are authenticated through a digital signature by a Certificate Authority (CA). This signature is created using the CA's private key. When a server presents its certificate to a client, the client uses the CA's public key (which the client trusts) to verify the certificate's authenticity. This process ensures the certificate indeed belongs to the server and hasn't been tampered with.
Signing Keys
Applications seeking access to resources from Data Providers can utilize signing keys to digitally sign their messages, thereby, enabling validation of their identity as well as granting non-repudiation.
Signatures are often done by signing the JSON payload using the private key in possession of the Data Receiver, creating a JWT (RFC 7519). Since the signature can be verified only with the public key registered for an application, signing messages ensures that if any part of the message is altered after the message was signed, the signature is no longer valid. Additionally, the signature verifies whether the message was signed by a known and trusted sender who possesses the corresponding private key.
Once a message is signed, the sender cannot deny sending the message or its contents as the message could only have been signed by the Private Key, which is possessed only by the sender. This property is crucial in scenarios where proof of message origin is necessary, also defined as non-repudiation.
Encryption Keys
Applications or Servers seeking to exchange data on unsecured channels, like the browser, can encrypt their requests (or parts of it) to ensure confidentiality and integrity of the transmitted data.
In this process the Party that will send the message will use the other party's public key to encrypt the JSON object, generating a JWE (RFC 7516), which technically can only be converted back into a JSON with the receiving party's Private Key.
Encryption ensures that the data contained in the request can only be read by the intended recipient. Even if an attacker intercepts the encrypted data, without the corresponding public (decryption) key, the data remains unintelligible and useless. Additionally, any unauthorized modifications to the encrypted data would fail to decrypt, alerting the recipient to potential tampering.
