The MIRACL Trust Android SDK (
https://github.com/miracl/incubator-milagro-mfa-sdk-android) contains methods which can be used to configure a 'Designated Verifier Signature' app whereby the MIRACL Trust authentication server can issue secret signing keys to users and allow them to verify their transactions with multi-factor signatures.
The DVS scheme enables a client to sign a transaction which can only be verified by a designated verifier. Three components are required:
The scheme has the following flow:
DvsCreateDocumentHashbackend SDK method to create a SHA256 hash. The hash together with a timestamp is then sent back to the mobile client app.
DvsVerifySignaturemethod of the backend SDK.
A typical user flow for a mobile DVS application would be:
In the Android SDK, there are methods which can be used to manage the basic setup and primary registration and authentication process such as
StartAuthentication. An illustration of these methods in use (in a simple demo app) can be found here
For the purposes of this guide, the following DVS-specific methods are available:
public Status startRegistrationDvs(User user, String token)
token is the access token issued for the user during the primary Open ID Connect authentication process. This
token has to be passed from the RP server backend to the mobile application.
It is this token which ensures that the user does not have to re-register and confirm their ID. They only need to create a new second PIN for DVS signing:
public Status finishRegistrationDvs(User user, String multiFactor)
finishRegistrationDvs finalizes the user registration process. Before it is called, the PIN must be obtained from the end user (it is possible to introduce other authentication factors besides a PIN, hence the
String multiFactor array above)
public boolean verifyDocumentHash(String document, byte hash)
Once the RP server backend has returned the hash of the document to the mobile client app, this method verifies that the hash value is correct for the given document. It returns true or false.
public Status sign(User user, byte documentHash, String secret, int epochTime, String authzToken, Signature signature)
This method signs the documentHash for the given user. The user's authentication factor (i.e. their secondary DVS PIN) has to be provided.
epochTime is the timestamp, in Epoch format, for the document/transaction signature. This will have been created by the RP server backend, using the backend SDK
authzToken is a token that the Android SDK needs in order to be able to generate the signature and verify against the platform the correctness of the provided authentication factors. This token should also be generated by the application back-end, using one of the MFA Backend SDK variants.
Generally, the token has the format
"MAAS-HMAC-SHA256 <token>" as
<token> is Base64-encoded
<hmac-sha256-signature> is an HMAC-SHA256 signature of the hex-encoded document hash, using the Client Secret as a key