Passport
  • 👩‍💻Welcome
  • How Passport Works
    • Overview
    • Background
      • Threshold Cryptography
      • Secure Multi-Party Computation
      • Distributed Architecture
      • Secure Enclaves
    • In Depth
      • Under the Hood
      • User Flows and Account Controls
      • The Halides Model
      • End-to-End Encryption
      • Security
      • Node Operation
  • guides and examples
    • Getting Started
    • Quickstarts and Examples
      • Passkey Account
      • Clerk Auth
      • Lambda Quickstart
  • Authentication
    • Overview
    • Configuring your scope
    • Passkeys
      • Registration
        • Register using SDK
        • Register using API
          • Initiate Registration
          • Complete Registration
      • Authentication
        • Authenticating with SDK
        • Authenticating with API
          • Initiate Authentication
          • Complete Authentication
    • Developer Owned Auth
      • Registration
        • Register using SDK
        • Register using API
          • Delegate Registration
  • Wallet Operations
    • Overview
    • Passkeys Signer
      • Sign Message
        • Sign Message SDK
        • Sign Message API
      • Sign Transaction
        • Sign Transaction SDK
        • Sign Transaction API
    • DOA Signer
      • Sign Message
        • Sign Message SDK
        • Sign Message API
      • Sign Transaction
        • Sign Transaction SDK
        • Sign Transaction API
    • Viem Support
  • Programmability
    • Overview
    • Passport Lambda
    • Lambda Functions
      • Create Lambda
        • Create Lambda SDK
        • Create Lambda API
      • Execute Lambda
        • Execute Lambda SDK
        • Execute Lambda API
      • List Lambda
        • List Lambda SDK
        • List Lambda API
  • Appendix
    • Moving to Mainnet
    • State Of The Network
    • Generating DOA Keys
    • API Request Setup
      • Unauthenticated Requests
      • Authenticated Requests
Powered by GitBook
On this page
  1. How Passport Works
  2. In Depth

End-to-End Encryption

PreviousThe Halides ModelNextSecurity

Last updated 1 year ago

End-to-end encryption prevents third-parties from accessing data while it's transferred from one end system to another. In this scenario, even the operators of the network nodes that facilitate the communication cannot see the payload in plain text.

Here's how it works, enhanced by the use of secure enclaves and the AES key encryption scheme:

Encryption:

  • Your device generates a temporary AES key for symmetric encryption, ensuring that the message can be encrypted and decrypted quickly and securely.

  • The message is encrypted using this AES key, turning the plaintext into ciphertext.

  • The AES key is encrypted using a public RSA key that originates from a secure enclave. Consequently, only within the secure enclave, which possesses the matching private RSA key, can the AES key be decrypted.

Transmission:

  • The encrypted message (ciphertext) and the encrypted AES key are sent across the internet.

  • encrypted AES key is also sent through the x-encrypted-key header

  • Anyone who might intercept the message during transmission, including node operators, cannot decipher it because they don't have the necessary private RSA key to decrypt the AES key, and thus cannot decrypt the message itself.

Decryption:

  • Upon arrival, the receiver's device uses a secure enclave, a highly protected area in the processor, to safely use their private RSA key to decrypt the encrypted AES key.

  • The secure enclave then uses the decrypted AES key to decrypt the message, restoring it to its original, readable form.

The secure enclave ensures that the decryption process is isolated from the rest of the system, adding an extra layer of security. Even if the network is compromised, or the node operators are malicious, they cannot access the private RSA key or the unencrypted data. Only the intended recipient, with the private RSA key securely stored in their enclave, can decrypt and read the message.

End to end encryption flow