Skip to content
TruthVouch Docs

Content Certification Cryptography

Content Certification uses public-key cryptography (RSA-2048) to create tamper-proof certificates that prove content was verified at a specific time.

Certificate Structure

{
  "certificate_id": "cert-abc123",
  "content_hash": "sha256:def456...",
  "trust_score": 92,
  "verified_at": "2024-01-15T10:30:45Z",
  "expires_at": "2024-04-15T10:30:45Z",
  "claims_verified": [
    {
      "claim": "Founded in 2023",
      "status": "verified",
      "confidence": 0.99
    }
  ],
  "signature": "rsa2048:signature_here",
  "public_key_id": "pk-789"
}

Signing Process

1. Hash Content

Create SHA-256 hash of content:

Content: "TruthVouch was founded in 2023..."
SHA-256 Hash: def456789abcdef...

2. Sign Hash

Sign hash with private key (RSA-2048):

Hash: def456789abcdef...
Private Key: [kept secret on HSM]
Signature: rsa2048:abcdefg...

3. Issue Certificate

Package all components:

Certificate = {
  content_hash,
  trust_score,
  verified_claims,
  timestamp,
  signature,
  public_key_id
}

Verification Process

Anyone can verify certificate authenticity:

# Verify certificate
result = client.certification.verify_certificate("cert-abc123")


if result.valid:
    print(f"Certificate authentic")
    print(f"Trust Score: {result.trust_score}")
    print(f"Content matches hash: {result.content_match}")
else:
    print(f"Certificate invalid: {result.reason}")
    # Possible: wrong signature, content modified, expired

Tampering Detection

Scenario 1: Content Modified

Original content hash: def456...
Modified content hash: xyz789...


Verification: Hashes don't match → Certificate revoked

Scenario 2: Score Modified

Original signature computed from: hash + score92
Modified signature attempt on: hash + score95


Verification: Signature doesn't verify → Certificate invalid

Scenario 3: Fake Certificate

Attacker creates certificate with different private key
Verification: Public key ID doesn't match TruthVouch keys → Invalid

Key Management

TruthVouch private keys stored in AWS CloudHSM:

  • Hardware Security Module: Keys never leave HSM
  • Automatic Rotation: Keys rotated monthly
  • Backup Keys: Geographically distributed
  • Access Control: MFA required for any key access
  • Audit Trail: All key operations logged

Certificate Expiry

Certificates automatically expire to encourage regular re-verification:

  • Default: 90 days
  • Customizable: 30, 60, 90 days, or 1 year
  • After Expiry: Badge shows “expired” status
  • Renewal: Re-certify content for new certificate

Revocation

Certificates can be revoked:

# Manual revocation
client.certification.revoke_certificate(
    certificate_id="cert-abc123",
    reason="facts_changed"
)


# Auto-revocation (if enabled)
# Triggered when underlying facts change

Revoked certificates are published in revocation list.

Public Verification

Anyone (not logged in) can verify:

https://truthvouch.com/verify?cert=cert-abc123

Shows:

  • Certificate is valid/revoked/expired
  • Trust Score
  • Verified claims
  • Verification timestamp
  • Content authenticity

Performance

  • Certificate Generation: <500ms
  • Verification: <10ms (local verification)
  • Public Verification: <100ms (cached)

No performance penalty for security.

Standards Compliance

  • Cryptography: FIPS 140-2 Level 3 (HSM)
  • Signing: PKCS#1 v2.2 (RSA-OAEP)
  • Hashing: SHA-256 (NIST standard)
  • Key Size: RSA-2048 (2048-bit keys)

Next Steps

  • Embedding: How to embed verification in your site
  • Monitoring: Track certificate validity
  • Custom Keys: Use your own signing keys (Enterprise)