How GOV.UK Verify uses encryption and signing
GOV.UK Verify uses a separate pair of private and public keys for encryption and signing. The keys are very long numbers. You can get the public key from the private key, but not the other way around.
Public keys may be shared publicly but private keys must only be known to the owner. Services connected to GOV.UK Verify share their public keys in the self-signed certificates they generate. They keep their private keys secret.
As a service connecting to GOV.UK Verify, you need to generate your own private keys and self-signed certificates for:
- signing messages
- encrypting messages
Handling encryption and signing
The Verify Service Provider (VSP) handles encryption and signing for services connected to GOV.UK Verify.
When you first connect to an environment, you must:
- share your self-signed encryption and signing certificates with GOV.UK Verify
- configure your VSP with your private keys
Sharing your self-signed encryption and signing certificates lets the GOV.UK Verify Hub:
- encrypt responses only your VSP can decrypt
- recognise your VSP’s signature on requests
- check that requests haven’t changed since your VSP signed them
Configuring your VSP with your private keys lets your VSP:
- sign requests sent to the GOV.UK Verify Hub
- decrypt responses from the GOV.UK Verify Hub
Your VSP automatically gets the GOV.UK Verify Hub’s signing certificate from the Hub’s metadata. This certificate lets your VSP check responses:
- are from the GOV.UK Verify hub
- haven’t been tampered with
Your self-signed certificates are valid for 1 year. You must keep them up to date.
For example, the GOV.UK Verify Hub encrypts responses for your service using your self-signed encryption certificate. Your VSP then uses your private encryption key to decrypt the response from the GOV.UK Verify Hub. Only your VSP can do this because it has your private encryption key.
Your VSP does not need to encrypt requests for the GOV.UK Verify Hub because the request body is empty. However, your VSP does sign the empty request so the GOV.UK Verify Hub can check where the request came from.
When receiving a signed message, the receiver can use the sender’s signing certificate to check:
- the sender’s identity
- the message has not been tampered with
For example, your VSP signs requests with your private signing key. This signature uniquely identifies your service. When receiving the signed request, the GOV.UK Verify Hub uses your self-signed signing certificate to check:
- the request came from you
- the request has not changed since your VSP signed it
Similarly, the GOV.UK Verify Hub signs responses with its private signing key. Your service uses the GOV.UK Verify Hub’s signing certificate to check:
- the response came from the GOV.UK Verify Hub
- the response has not changed since the GOV.UK Verify Hub signed it