Skip to main content

Overview

A message signer is ECDSA_P256 or Ed25519 key pair based utility to sign and verify messages.

The main purpose of this object is that allows you to cryptographically sign and verify messages between your application and Duo services. This ensures the integrity and authenticity of the messages being exchanged between Silent Shard SDK and Duo services.

Also message signer can be used to identify the user mobile device, using the cryptographically public key.

What is Message Signer?

The message signer is a simple object holds following properties:

  • publicKey: The public key of the mobile device.
  • sign(message: string): string: A method that takes a message as input and returns a Promise that resolves to the signed message.
  • keyType: The type of key used for signing accepts Ed25519 or ECDSA_P256.

Before SDK send MPC message for DKG and DSG to Duo services, it signs the message using the private key associated with the message signer. Duo services can then verify the message using the mobile public key. Vise versa, Duo services sign the response messages using their private key, and the mobile SDK verifies the message using the CLOUD_VERIFY_KEY.

info

CLOUD_VERIFY_KEY should be logged in the Docker container logs when the Duo server starts.

tip

The message signer ideally created in the mobile device's TEE (Trusted Execution Environment) to ensure the private key's security.

  • iOS: Secure Enclave
  • Android: KeyStore with StrongBox support

From TEE the private key never leaves the secure environment, and all signing operations are performed within the TEE.

Secure Communication between parties

The establish trust between mobile SDK and duo server. And integrity of message communication between them. Each party needs to know each other's public keys.

Identify Mobile Device

The message signer public key can be used to uniquely identify the mobile device. When the mobile device registers with your application backend or auth-svc.

The public key from the message signer can be sent to the backend and associated with the user account. This allows the backend to recognize the device in future interactions, enabling features like device-based authentication and access control. More details on device registration can be found in auth-svc overview.