Skip to main content
Table of contents

How GOV.UK Verify uses encryption and signing

GOV.UK Verify uses a separate pair of private and public keys for encryption and signing. The keys are very long numbers. You can get the public key from the private key, but not the other way around.

Public keys may be shared publicly but private keys must only be known to the owner. Services connected to GOV.UK Verify share their public keys in the self-signed certificates they generate. They keep their private keys secret.

As a service connecting to GOV.UK Verify, you need to generate your own private keys and self-signed certificates for:

  • signing messages
  • encrypting messages

Handling encryption and signing

The Verify Service Provider (VSP) handles encryption and signing for services connected to GOV.UK Verify.

When you first connect to an environment, you must:

  • share your self-signed encryption and signing certificates with GOV.UK Verify
  • configure your VSP with your private keys

Sharing your self-signed encryption and signing certificates lets the GOV.UK Verify Hub:

  • encrypt responses only your VSP can decrypt
  • recognise your VSP’s signature on requests
  • check that requests haven’t changed since your VSP signed them

Configuring your VSP with your private keys lets your VSP:

  • sign requests sent to the GOV.UK Verify Hub
  • decrypt responses from the GOV.UK Verify Hub

Your VSP automatically gets the GOV.UK Verify Hub’s signing certificate from the Hub’s metadata. This certificate lets your VSP check responses:

  • are from the GOV.UK Verify hub
  • haven’t been tampered with

Your self-signed certificates are valid for 1 year. You must keep them up to date.

Message encryption

For example, the GOV.UK Verify Hub encrypts responses for your service using your self-signed encryption certificate. Your VSP then uses your private encryption key to decrypt the response from the GOV.UK Verify Hub. Only your VSP can do this because it has your private encryption key.

Your VSP does not need to encrypt requests for the GOV.UK Verify Hub because the request body is empty. However, your VSP does sign the empty request so the GOV.UK Verify Hub can check where the request came from.

Message signing

When receiving a signed message, the receiver can use the sender’s signing certificate to check:

  • the sender’s identity
  • the message has not been tampered with

For example, your VSP signs requests with your private signing key. This signature uniquely identifies your service. When receiving the signed request, the GOV.UK Verify Hub uses your self-signed signing certificate to check:

  • the request came from you
  • the request has not changed since your VSP signed it

Similarly, the GOV.UK Verify Hub signs responses with its private signing key. Your service uses the GOV.UK Verify Hub’s signing certificate to check:

  • the response came from the GOV.UK Verify Hub
  • the response has not changed since the GOV.UK Verify Hub signed it
This page was last reviewed on 27 January 2020. It needs to be reviewed again on 27 January 2021 by the page owner #verify-developers .
This page was set to be reviewed before 27 January 2021 by the page owner #verify-developers. This might mean the content is out of date.