Securing Mechanisms
Securing mechanisms use cryptography—primarily digital signatures and mathematical proofs—to ensure authenticity and integrity of verifiable credentials. They protect credentials from tampering and enable verification without contacting the issuer.
These mechanisms confirm:
- The claimed issuer issued the credential (authenticity)
- The credential hasn’t been altered (integrity)
- The credential hasn’t been revoked (currency)
Core concepts
Section titled “Core concepts”Verifiable Credentials and Proofs
Section titled “Verifiable Credentials and Proofs”A verifiable credential consists of claims, metadata, and proofs. The proof cryptographically binds the issuer to the credential, establishes integrity, and enables verification without trusting intermediaries.
Trust Model
Section titled “Trust Model”Securing mechanisms enable non-repudiation (issuers can’t deny signed credentials), tamper-evidence (modifications invalidate proofs), decentralized verification (no issuer contact needed), issuer identification, and holder control.
How securing mechanisms work
Section titled “How securing mechanisms work”According to the W3C Data Integrity specification, the creation of cryptographic proofs for verifiable credentials involves three key steps:
1. Transformation
Section titled “1. Transformation”Transformation prepares credential data for hashing by converting it into a standardized, deterministic format through canonicalization, serialization, or selective transformation.
2. Hashing
Section titled “2. Hashing”Hashing applies a cryptographic hash function to create a fixed-length digital fingerprint. Any change to the input produces a completely different hash. Common algorithms include SHA-256, SHA-3, and BLAKE2.
3. Proof Generation
Section titled “3. Proof Generation”The final step creates a cryptographic proof based on the hash and the issuer’s private key. For digital signatures, this encrypts the hash with the issuer’s private key to create a signature verifiable only with the issuer’s public key.
Types of securing mechanisms
Section titled “Types of securing mechanisms”The W3C specifications define several approaches for securing verifiable credentials:
Embedded Proofs
Section titled “Embedded Proofs”Embedded proofs include the proof as a property of the credential itself, containing metadata about the proof method and verification details:
{ "@context": ["https://www.w3.org/ns/credentials/v2", "https://www.w3.org/ns/credentials/examples/v2"], "id": "http://university.example/credentials/3732", "type": ["VerifiableCredential", "UniversityDegreeCredential"], "issuer": "https://university.example/issuers/565049", "validFrom": "2010-01-01T19:23:24Z", "credentialSubject": { "id": "did:example:ebfeb1f712ebc6f1c276e12ec21", "degree": { "type": "BachelorDegree", "name": "Bachelor of Science in Mechanical Engineering" } }, "proof": { "type": "DataIntegrityProof", "cryptosuite": "eddsa-2022", "created": "2023-02-24T23:36:38Z", "verificationMethod": "https://university.example/issuers/565049#key-1", "proofPurpose": "assertionMethod", "proofValue": "z58DAdFfa9SkqZMVPxAQpic7ndSayn1PzZs6ZjWp1CktyGesjuTdwQZHZVkm2dLmHkrfYtWd6ZFdCDFG3kXhwrAXR" }}Enveloping Proofs
Section titled “Enveloping Proofs”Enveloping proofs wrap the entire credential in a cryptographic envelope. JSON Web Tokens (JWT) with JSON Web Signatures (JWS) are commonly used, consisting of header (metadata), payload (credential), and signature (proof):
// JWT Header{ "alg": "ES256", "typ": "JWT", "kid": "did:example:123#key-1"}
// JWT Payload (the credential){ "@context": ["https://www.w3.org/ns/credentials/v2"], "type": ["VerifiableCredential", "UniversityDegreeCredential"], "issuer": "https://university.example/issuers/565049", "validFrom": "2010-01-01T19:23:24Z", "credentialSubject": { "id": "did:example:ebfeb1f712ebc6f1c276e12ec21", "degree": { "type": "BachelorDegree", "name": "Bachelor of Science in Mechanical Engineering" } }}
// JWT Signature// Base64-encoded signature created using the issuer's private keyZero-Knowledge Proofs
Section titled “Zero-Knowledge Proofs”Zero-knowledge proofs (ZKPs) allow holders to prove possession of valid credentials without revealing the data. This enables selective disclosure and enhanced privacy. Implementations include BBS+ signatures, CL signatures, and SD-JWT.
Security and privacy considerations
Section titled “Security and privacy considerations”Cryptographic suite selection impacts security through algorithm strength, key length, and quantum resistance. Proper key management, protection against replay and forgery attacks, and robust revocation checking are critical.
Different mechanisms offer different privacy characteristics: standard signatures reveal all data, selective disclosure hides specific attributes, and zero-knowledge proofs enable proving properties without revealing data.
Integration in Vidos
Section titled “Integration in Vidos”The Vidos Verifier service validates credentials by resolving the issuer’s DID, checking proofs, verifying integrity, and confirming revocation status. It supports configurable cryptographic suites and security parameters.