Concept Guides
Public Key Infrastructure
Public and Private Keys
utilize symmetric cryptographic keys for encrypting and decrypting data use signing keys to digitally sign messages and verify the signatures of other entities raidiam connect's public key infrastructure docid\ ukxpxzgjtt4iswg9nbxe0 enables organizations participating in a trusted environment to obtain and utilize cryptographic key pairs in the form of a json web key set (jwks) such keys can be used for data encryption/decryption or digital message signing public keys public keys, used for encryption or signature verification, are shared openly they are represented as mathematical values, typically in binary format however, when expressed in human readable form, they appear as a complex sequence of characters, resembling a lengthy string of numbers and letters, serving as a lock that can be publicly distributed without compromising security the main type of key used by the trust framework is the rsa key (rfc 8017) private keys private keys are bound to public keys and enable the decryption/encryption of data or the creation of digital signatures its format is similar to that of the public key rsa private key format organization's private keys must be kept secret at all times types of key pairs in different contexts in connect's public key infrastructure docid\ ukxpxzgjtt4iswg9nbxe0 , key pairs are not one size fits all; they are tailored for specific functions such as encryption and signing signing key pairs in digital signing, the private key is used to create a signature on a document or message, while the public key verifies that the signature is valid this ensures the integrity of the message and the confirmation of the identity of the sender encryption key pairs these key pairs are used for encrypting and decrypting data the public key encrypts data that only the corresponding private key can decrypt, ensuring that sensitive information remains confidential during transmission using keys key usage can be divided into three levels server client communication with mtls certificates docid\ vsjypzhvtxr to0eglujt even though certificates are not keys per se, they contain the subject's public key and are signed with public key infrastructure docid\ ukxpxzgjtt4iswg9nbxe0 private key having the subject's public key within a certificate is crucial for asymmetric encryption or digital signatures, enabling clients to encrypt messages that only the server can decrypt or verify messages signed by the server certificates are authenticated through a digital signature by a public key infrastructure docid\ ukxpxzgjtt4iswg9nbxe0 (ca) this signature is created using the ca's private key when a server presents its certificate to a client, the client uses the ca's public key (which the client trusts) to verify the certificate's authenticity this process ensures the certificate indeed belongs to the server and hasn't been tampered with signed messages between applications applications seeking access to resources from data providers docid\ apm ilivcfpfft1ld0puc can utilize signing keys to digitally sign their messages, thereby, enabling validation of their identity as well as granting non repudiation signatures are often done by signing the json payload using the private key in possession of the data receiver, creating a jwt ( rfc 7519 ) since the signature can be verified only with the public key registered for an application, signing messages ensures that if any part of the message is altered after the message was signed, the signature is no longer valid additionally, the signature verifies whether the message was signed by a known and trusted sender who possesses the corresponding private key once a message is signed, the sender cannot deny sending the message or its contents as the message could only have been signed by the private key, which is possessed only by the sender this property is crucial in scenarios where proof of message origin is necessary, also defined as non repudiation encrypted messages applications or servers seeking to exchange data on unsecured channels, like the browser, can encrypt their requests (or parts of it) to ensure confidentiality and integrity of the transmitted data in this process the party that will send the message will use the other party's public key to encrypt the json object, generating a jwe ( rfc 7516 ), which technically can only be converted back into a json with the receiving party's private key encryption ensures that the data contained in the request can only be read by the intended recipient even if an attacker intercepts the encrypted data, without the corresponding public (decryption) key, the data remains unintelligible and useless additionally, any unauthorized modifications to the encrypted data would fail to decrypt, alerting the recipient to potential tampering json web keys jwks a json web key (jwks) is a json object for transmitting and validating cryptographic keys, particularly public keys, in web based applications it contains an array of json web keys (jwk), each representing a cryptographic key which usually includes key type ( kty ) , usage ( use ) the usage, which can be signature ( sig ) or encryption ( enc ), digital signaure algorithm ( alg ), unique identifier ( kid ) and the public key attributes, which for rsa type keys are the exponent ( e ) and the modulus ( n ) example jwks { "keys" \[ { "kty" "rsa", "use" "sig", "kid" "12345", "alg" "rs256", "n" "base64 encoded modulus", "e" "base64 encoded exponent" } ] } key description kty key type specifies the cryptographic algorithm family used for the key (e g , rsa, ec) use public key use indicates the intended use of the key, such as sig for signature or enc for encryption kid key id a unique identifier for the key, used to match a specific key to a jwt alg algorithm identifies the algorithm intended for use with the key, such as rs256 for rsa signature with sha 256 n public key modulus only used for rsa keys, it represents the modulus value e public key exponent only used for rsa keys, it represents the exponent value x x coordinate only used for ec keys, it represents the x coordinate on the elliptic curve y y coordinate only used for ec keys, it represents the y coordinate on the elliptic curve crv curve only used for ec keys, it specifies the elliptic curve type key pairs and jwks usage example jwks are utilized, for example, by oauth authorization servers and client applications for transferring in a standardized way the client application's credentials when a client application registers with an authorization server, it can submit its public keys, or a reference that points to those keys, in the form of jwks this setup is particularly relevant in the oauth private key jwt client authentication method here, the client application sends a jwt, signed with its private key, to authenticate itself to the authorization server the authorization server then uses the corresponding public key from the jwks, provided at registration, to verify the token's authenticity this process ensures that the communication between the client and the server is both secure and verifiable the client application is registered at the authorization server with it's public key the client application generates a json web token (jwt) header and payload and base64url encode them the payload and header are concatenated together in the encodedheader encodedpayload format to form an assertion the assertion is signed using a cryptographic algorithm that takes the input data (assertion) and the client's private key to produce a signature the signature is base64url encoded the result is concatenated to from the jwt using the encodedheader encodedpayload encodedsignature format the client application passes the jwt to the authorization server for client authentication, for example, while calling the authorization server's /token endpoint the jwt is passed as the value of the client assertion request body parameter the request must contain the client assertion type=urn\ ietf\ params\ oauth\ client assertion type\ jwt bearer parameter the authorization server decrypts the received jwt using client application's public key to verify the assertion below, you can see examples of each object used to create a jwt sample public key jwks { "kty" "rsa", "e" "aqab", "use" "sig", "kid" "12345", "alg" "rs256", "n" "k qhrbca0rughsxl51zwlt i8lh7fmtdrav87opf5q7kql8l4akaswjdc8lzya83jdlkisk lkbzmvc mwfi50klhkon92bacu mk rp0gjvlzsqkn04cu dowcf0vl yrrklsxgo04smdrblrgk1l1nfp8ov4ea7i9qmrnda9xtkeduqronrqrqqno13dd0lvu4exz5pfojg7qpelqgqxestis z5gt8zorzjupw6ev vaudm lizgmgwut5izreff6z4gnkigldjzeudy4bjndhquvpqj8ic1 uyg4llnbl vnpemkmumz3pe3iqyocgffa72l0xreys5hzdb8jw" } sample jwt header { "alg" "rs256", "typ" "jwt", "kid" "12345" } sample jwt payload { "iss" "client id", "sub" "client id", "aud" "https //sample authorization server com/oauth/token", "exp" 1716239022, "iat" 1916239022 } below, you can find a working example of a jwt you would receive as a result along with both keys in x 509 pem format for simplicity you can use the below resources at sites like, for example, jwt io to test it once you paste the sample jwt, public key, and private key, you will receive the message that your signature was successfully verified sample jwt eyjhbgcioijsuzi1niisinr5cci6ikpxvcisimtpzci6ijeymzq1in0 eyjpc3mioijjbgllbnrfawqilcjzdwiioijjbgllbnrfawqilcjhdwqioijodhrwczovl3nhbxbszs1hdxrob3jpemf0aw9ulxnlcnzlci5jb20vb2f1dggvdg9rzw4ilcjlehaioje3mtyymzkwmjisimlhdci6mtkxnjizotaymn0 jhesv1ctadqumzdu0ce wtmyqgl tpsgspmo1lwabs1ropforspbfd18cyaccxvbkgi8b3wiib0fjxcsjhxwmgbmvtv0y71jp wib8nanqigxzq4hvhpmtelc6xpmmeod4vkg85gq6sfk3pli0eea9yiov8nfgwmtwhqnhmwl9vfvnn8yc5efvwge6mbxrkjyicqr84ox96dg2llqu4h6rufcxgptyjwnzw j6a3faqun9irkfhmtmnkstayyhyiepeblyggecnl3jwpdncymqgndvscoatjiikrzmrh46yvkme06zesykhdbshuj qmsrfq9se1b7bvqmhzfiyca sample public key in x 509 pem format begin public key miibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqeak/ qhrbca0rughsxl51zwlt/i8lh7fmtdrav87opf5q7kql8l 4akaswjdc8lzya83jdlkisk/lkbzmvc/mwfi50klhkon92 bacu/mk/rp0gjvlzsqkn04cu+dowcf0vl+yrrklsxgo04s mdrblrgk1l1nfp8ov4ea7i9qmrnda9xtkeduqronrqrqqn o13dd0lvu4exz5pfojg7qpelqgqxestis+z5gt8zorzjup w6ev/vaudm+lizgmgwut5izreff6z4gnkigldjzeudy4bj ndhquvpqj8ic1/uyg4llnbl/vnpemkmumz3pe3iqyocgff a72l0xreys5hzdb8jwidaqab \ end public key sample private key in x 509 pem format begin private key miievqibadanbgkqhkig9w0baqefaascbkcwggsjageaaoibaqct9aettwdstqaf jexnxpcvp8jwuhsuxn1ec/zuil/mrusqxwvgappjammlwtnidzemmusjir8urtmz vz8xywlnsqsesg33ztpy7+yr+s/scnutmxcq3tgjt4m5zx/s+x7jfeouxcy7thix 2seteyruvwcu/yhxgrrsj2oyucmd3g2qr26quietbgqo2jxd0psvw7h7fnk8u4md tcl4taarf5jojl5nkzpzm6tklq/dorx9ubqob4ulmywzzrpmlnf4v/rpia0qiyt2 nl64njhsk10eq5u9anyjzx9tkdiwu1sv9wc8qwoy4zpc8tchbg4iyv8dvaxtgsri zmhmnvwnagmbaaecggeazgtq/qg/uysfse4n91kis4fgb2bnx+zvrcqx/8v+kmxr 9garg6ehx7kro4linkb5ghzfrqhml3xxmvsmifqq/hxjxfsaamyznyl4pz7m6mey zdestpczuofptlejhbbxsimbdxr+u4pj1win53g/ly5i1agvsbfgzxqgog+i3xej pyjovi2khk3oapvecat46i+sh8zdllsybectbq+afmoke7lp0bqv7amutrcbdls/ sgfa3uuwp/2uvjwy+gempbizrdcm8kxm8dcssz3tcwv9f42ygdgatbexuyozppkn 9je1g6fwhzh3m/bcc5p8dpgrswzwf0otac4yiesxcqkbgqdy2iuqdrrawtapjhqx uagfjfvq0rhqreci6z58haczlffs21ffz/pozp5jniaqcnpucjgh3yaqjus/wxl6 wioemkrlrvvm/qa0h20z1s36u+seng+t7dp3wdrudtpco9omnhgxxokk3mdiucru kxm/iltqe1l0a+fmc7uczxukbqkbgqcuqwvw+sfaki2kpebskbc8bbfognw7fw3m lsw52qf3uys3rwy26+wvolrhvyovhqala9ecrb5wyrg2n2eqpwl9zxgkhlrpi5fo r2n0jq8v0emztwxgoq/jfkxaskzueoywhnoqxpdnmylmfr6mgeg2ux7ktvblquks mdbo/xwjowkbggwo644lc0ot0mljjpxcgqpkfrodneypzlg912iclkw351efwzns zw0euuheuok88b7edsiqqhzjifwgy2gf+3e5cpx0ijeib+rjnf6kdw+kphhuqsx/ fxhgydce8q8ytwh7bihpthhxl6te9hidxh91ow3ewuskqg1vujqdtwlfaogansv6 ev6gft1/c5t+orstxjhh4nazeq24h/jcw5nbhajgcjfezzvh12lyj9njqv8zkwlv 5m/bo328ovrwwzxjfes0lfbalmgnxxi5tuzhbzzitekflh2zvo8/a9txixhi5ljq usudyei2/ywtjui1kfmtu6aoqz5jxpwnftuqdomcgyeajrn0j3avkjido3jdp8yj nyfyxpjcmn5lanfge6bkxyzoeipmmfhw8hisxnxkjhb4qjr8b17n7k/xqj7xhzly ws57euiixbjpas6eangvw5yrrqlelzghklarh8zz1l5kgyxosftl/nkfxxvi6qj9 enem9vjl8pfcbmendlixydq= \ end private key