search

Identity Creation

This page describes how GetTrusted creates identities.

Create a hardware-backed master identity that anchors all trust relationships in GetTrusted.

hashtag
Overview

The identity-creation process establishes a unique, cryptographically verifiable identity on a user’s device. It uses hardware-backed key generation, mnemonic recovery, and one-time master key delegation and master based backup encryption key to ensure that no long-term secrets exist outside secure enclaves.

hashtag
Process Flow

flowchart TD
  A[1. User Input<br/>• Pass phrase user provided - 2 words 3 letters or more for 7 characters] --> B[2. BIP39 Mnemonic Generation<br/>• 24 words = 256-bit entropy<br/>• Hardware randomness]
  B --> C[3. Master Key Derivation PBKDF2-SHA512<br/>• 100,000 iterations<br/>• Input: mnemonic + password]
  C --> D[HKDF-SHA256 key expansion<br/>• Output: 32-byte key]
  D --> E[4. Master Identity Components<br/>• Master Private Key P-256 ECDSA<br/>• Master Public Key<br/>• Fingerprint SHA-256 of pubkey<br/>• Backend ID is fingerpint of certificate]
  E --> F[5. Device Key Generation in Hardware<br/>• Secure Enclave / StrongBox / TPM<br/>• Generate P-256 keypair<br/>• Private key: hardware-only<br/>• Public key: extractable]
  F --> G[6. Certificate Creation<br/>• X.509 Device Certificate<br/>• Signed by Master Private Key<br/>• Subject: Device ID<br/>• Contains: Device Public Key]
  G --> H[7. Master Key Destruction<br/>• CRITICAL: Master private key DESTROYED<br/>• Only device key remains<br/>• Certificate proves authority]
  H --> I[8. Hardware Storage<br/>• Platform Keychain / Keystore<br/>• Store: Device key + Certificate<br/>• Type: kSecClassIdentity]
  I --> R((Result:<br/>Complete hardware-backed identity<br/>with certificate delegation))
1

hashtag
User Input

  • Pass phrase provided by the user.

  • 2 words 3 letters or more.

  • 7 letters or more with space of additional entropy.

2

hashtag
BIP39 Mnemonic Generation

  • Generate a 24-word mnemonic (256-bit entropy).

  • Source entropy from hardware randomness.

3

hashtag
Master Key Derivation

  • Derive master key using PBKDF2-SHA512 with 100,000 iterations.

  • Inputs: mnemonic + password.

4

hashtag
Key Expansion

  • Apply HKDF-SHA256 to expand derived material.

  • Output: 32-byte key.

5

hashtag
Master Identity Components

  • Master Private Key: ECDSA P-256.

  • Master Public Key.

  • Fingerprint: SHA-256 of public key.

  • Backend ID: fingerprint of certificate.

6

hashtag
Device Key Generation in Hardware

  • Generate P-256 keypair inside secure hardware (Secure Enclave / StrongBox / TPM).

  • Private key is hardware-only (non-exportable).

  • Public key is extractable for certificate inclusion.

7

hashtag
Certificate Creation

  • Create an X.509 device certificate containing the device public key and device ID as the subject.

  • Sign the certificate with the master private key.

8

hashtag
Master Key Destruction & Hardware Storage

  • CRITICAL: Destroy the master private key after use (exists only once).

  • Store device key and certificate in platform key storage (e.g., Keychain/Keystore) as a kSecClassIdentity-like entry.

  • Result: complete hardware-backed identity with certificate delegation.

hashtag
Cryptographic Summary

Component
Algorithm
Key Size
Storage Location
Purpose

Mnemonic

BIP39 (Entropy 256-bit)

User memory / optional QR

Recovery seed

Master Key

ECDSA P-256

256 bit

Temporary memory

Signs device certificates once

Device Key

ECDSA P-256

256 bit

Secure Enclave / StrongBox

Ongoing identity operations

Encryption

AES-256-GCM

256 bit

Runtime

Protect private data at rest/in transit

hashtag
Security Guarantees

  • Master private key exists only once, then is destroyed.

  • Device private keys are hardware-bound and non-exportable.

  • Recovery is mnemonic-based, not key-based — the master key is reconstructed, never stored.

  • Certificates cryptographically prove device authority without exposing master secrets.

hashtag
Strategic Implications

GetTrusted identities are born secure-by-design: there are no static credentials to steal. Hardware-backed key generation eliminates centralized trust, enabling verifiable, user-owned identity for every interaction.

PreviousLocal Data EncryptionNextIdentity Recovery Flow

Last updated