Ty Everett ([email protected])
This document specifies a peer-to-peer protocol for mutual authentication and signed data exchange. The protocol uses certificates, nonce-based challenges, and digital signatures to protect the integrity and authenticity of messages, enabling:
- Selective field disclosure of certificates without revealing unnecessary information.
- Highly extensible message types, suitable for a variety of use cases such as transaction coordination, identity verification, and arbitrary data sharing.
- Interchangeable transport layers, which can be HTTP, NFC, WebSockets, or any mechanism supporting bidirectional message exchange.
The specification provides a standard approach for issuance, storage, retrieval, and verification of identity certificates, as well as the end-to-end handshake and messaging protocols between peers.
Secure interactions among different wallets and services are critical. These interactions typically require:
- Proving identity in a privacy-preserving manner, possibly revealing only some data fields (e.g. “I am over 18” without revealing full date of birth).
- Ensuring that both parties are authenticated to each other (mutual authentication), reducing the risk of man-in-the-middle or impersonation attacks.
A standard protocol for mutual authentication and certificate exchange addresses these needs and fosters interoperability between applications, wallets, and vendors.
- Wallet: An interface or application managing the user’s keys, capable of signing, encrypting, and decrypting data in conformance with BRC-100.
- Certificate: A data structure that attests to certain user attributes, signed by a certifier.
- Master Certificate: A special form of certificate that has been encrypted field-by-field, each with a unique symmetric key, stored in an internal keyring.
- Verifiable Certificate: A certificate derived from a master certificate, revealing keys for only the fields a particular verifier may see.
- Peer: A party participating in communication, using the protocol to exchange messages.
- Session: The state tracking an authenticated channel between two peers.
- Nonce: A random value used once within a cryptographic exchange to ensure freshness and avoid replay attacks.
- Signature: A digital signature produced by the user’s or certifier’s private key.
- Transport: The underlying communication medium that relays messages between peers.
Certificates are stored and transmitted in a binary format to optimize size and parsing consistency. We specify each field in table form, together with how it is conventionally represented when not in binary. The binary format is always used for signing and verification, but the conventions are useful for human readability. A certificate has the following primary fields:
| Field Name | Type | Description |
|---|---|---|
| Type | 32-byte (base64) string | Certificate category identifier (e.g., unique type associated with “social handles”). |
| SerialNumber | 32-byte (base64) string | Uniquely identifies this certificate instance. |
| Subject | 33-byte compressed pubkey (hex) | The wallet’s (subject’s) public key. |
| Certifier | 33-byte compressed pubkey (hex) | The certifier's public identity key. |
| RevocationOutpoint | 32-byte TXID + varint output idx | On-chain reference to track revocation (if spent, revoked). |
| Fields | Varint count + repeated pairs | Pairs of: <fieldNameLength, fieldName, fieldValueLength, fieldValue> |
| Signature | Varint length + bytes | Certifier’s signature over all fields (excluding itself). |
Important: Each certificate field is encrypted with a field-specific key. The encrypted version is signed.
A Master Certificate includes a master keyring. Each field in the certificate is encrypted with a unique symmetric key. Those keys, in turn, are encrypted for the certificate holder (subject). Hence, a master certificate is able to decrypt any of its own fields locally but can selectively re-encrypt only some fields for a verifier.
A Verifiable Certificate is derived from a master certificate. It still contains all fields in ciphertext form (so that signatures can be verified) but also includes a “verifier-specific keyring.” For fields the subject wishes to disclose, the subject decrypts the corresponding symmetric key from the master keyring and re-encrypts it for the verifier. Consequently, the verifier can decrypt only those chosen fields.
-
Master Keyring Generation
- For each field
f, create a random symmetric keyK_f. - Encrypt the field’s plaintext using
K_f, store asFields[f] = E(K_f, fPlaintext). - After all fields are encrypted, the certifier signs the assembled certificate, comprising all encrypted fields.
- The certifier can then encrypt the key
K_ffor the subject’s own identity:EncryptedKey_f -> E_subject(K_f), the subject can store in the master keyring.
- For each field
-
Disclosure to a Verifier
- When selectively disclosing field
f, the subject decryptsEncryptedKey_f, obtainsK_f, and re-encryptsK_fwith the verifier’s identity key, producingK_f_for_verifier. - The subject includes
K_f_for_verifierin the verifier’s keyring for that verifiable certificate.
- When selectively disclosing field
Certificate Creation
- User (subject) or certifier forms certificate fields (including
Type,SerialNumber, etc.). - Each field is encrypted.
- The certifier signs the certificate data.
Certificate Verification
- A party verifying a certificate reassembles the binary structure.
- Checks the signature against the “signature preimage” (all primary certificate fields except the signature itself, and not including their verifier keyring).
- Considers the
RevocationOutpointto confirm the certificate is not on-chain revoked (if it is not 36 zero bytes).
Selective Disclosure
- The subject issues a Verifiable Certificate containing:
- Original field ciphertext.
- Re-encrypted field keys for fields to reveal.
- The certifier’s signature.
The verifier can decrypt each revealed field’s ciphertext with the provided key, verifying the signature across the entire certificate to ensure authenticity.
Each message exchanged between peers contains:
- Version: The protocol version string (e.g. “0.1”).
- MessageType: One of:
initialRequest,initialResponse,certificateRequest,certificateResponse,general. - IdentityKey: Sender’s public key.
- Nonce Fields: For challenge–response patterns (e.g.
yourNonce,initialNonce). - Signature: A digital signature by the sender’s private key over the relevant content.
- Optional Data:
- Certificates: A list of verifiable certificates.
- RequestedCertificates: A set specifying certifiers and certificate types with fields.
- Payload: Arbitrary data included in
generalmessages.
The protocol does not mandate a specific transport. Any medium that can:
- Deliver messages in a reliable or semi-reliable manner, and
- Allow receiving peer messages,
can be used. HTTP requests, WebSockets, Bluetooth, NFC, or local function calls are all valid.
A peer typically maintains a session record containing:
- isAuthenticated: Whether the peer is recognized as fully authenticated.
- sessionNonce: A locally generated random 256-bit value.
- peerNonce: The peer’s random 256-bit value.
- peerIdentityKey: The peer’s public identity key.
A session is created or updated whenever a handshake starts or completes. Nonces and signatures ensure that replaying old messages fails.
The handshake typically has two messages in the simplest form: an initialRequest and an initialResponse.
-
initialRequest
- Sender (A) generates a random nonce (A_Nonce).
- A sends
initialRequestcontaining:messageType = "initialRequest"identityKey = A_publicKeyinitialNonce = A_Nonce- Optionally, a
requestedCertificatesset if A wants B’s certificates.
-
initialResponse
-
Receiver (B) verifies the request, creates its own random nonce (B_Nonce).
-
B sends
initialResponsecontaining:messageType = "initialResponse"identityKey = B_publicKeyinitialNonce = B_Nonce(its own newly created nonce)yourNonce = A_Nonce(echoing A’s nonce)- Optionally, any certificates B wants to share right away.
- A signature verifying B truly created this message.
-
When A receives this
initialResponse, it verifies B’s authenticity via the signature over(A_Nonce + B_Nonce), marking the session as authenticated.
-
- Each party uses a cryptographically secure random generator for the nonce (e.g., 32 bytes).
- The verifying side must ensure the nonce is matched or “echoed” in subsequent messages.
- Optionally, one may use an HMAC-based approach to bind nonces to their key, avoiding the need to keep track of all nonces that they created.
Signature ensures authenticity. The signing steps:
- Collect relevant data from the message. For instance, a
generalmessage might sign the rawpayloadarray plus ephemeral fields such as(requestNonce + peerNonce)to bind the message to the session. - Use the BKDS-based BRC-100 signature creation and verification mechanisms.
- Place the resulting signature in the message’s
signaturefield.
Verification:
- Recompute the same message preimage.
- Verify the signature with the alleged identityKey.
- If valid, accept the message. Otherwise, reject or treat as an error.
After or during handshake, a peer may request:
certificateRequest: “Please provide certificate(s) of type(s) X, issued by Y (or Z).”certificateResponse: Peer responds by attaching a list of verifiable certificates that match the requested type and certifier.
Request:
- Contains a
RequestedCertificatesstructure:certifiers: array of public keys representing permissible certifiers.types: a dictionary ofcertificateTypeID -> array of fields requested.
Response:
- Contains an array of VerifiableCertificates, each possibly containing:
- Encrypted fields.
- Re-encrypted keys for the requester.
- The certifier’s signature.
Once both sides have completed the handshake (i.e. set isAuthenticated=true in their session records), they can exchange arbitrary data:
messageType = "general"payloadcan be any binary or text data encoded consistently.- The message includes a fresh
nonceand references the peer’snoncefor ephemeral binding to the session. - The
signaturecovers the payload plus nonces.
- Replay Attacks:
- Nonces must be unique and used once. The receiver ensures that the same nonce is not accepted more than once.
- Man-in-the-Middle:
- The handshake uses mutual signature verification. If a middle party tries to modify data, the signature verification fails.
- Certificate Revocation:
- The
revocationOutpointcan be polled or monitored in the ledger to confirm it has not been spent. A spent outpoint implies the certificate is revoked Non-zero outpoints must be checked.
- The
- Selective Disclosure:
- Properly encrypt fields with randomly derived keys.
- Re-encrypt those keys only for intended verifiers.
- Privilege Escalation:
- Carefully manage session state to ensure a partially authenticated session does not gain privileges.
- Transport Security:
- Although each message is authenticated, transport-level encryption (e.g. TLS) can still be beneficial, especially to hide message lengths or frequencies.
- This protocol does not encrypt any data by itself.
- Data Types:
- Nonces are 32 bytes.
- Public keys are 33 bytes in compressed DER format.
- Certificate fields may vary in size, so a length-prefix technique (varint) is standard.
- Storage:
- A wallet may store certificates in a local database.
- A session manager maps
sessionNonceandpeerIdentityKeyto a single in-memory record.
This protocol is heavily inspired by existing cryptographic handshake approaches (SSH, TLS) and identity-certificate systems (X.509), adapted for a BSV-based environment. Contributors within the ecosystem have refined these ideas to align with BKDS, peer-to-peer exchange, selective disclosure, and other needs.