I had this fun idea to create a certificate that you can earn by solving a puzzle game that I created a couple of months back. So the player solves a puzzle, enters their name, and a pdf rolls out with their name stating that they solved it. This pdf would be the certificate they earn.
Obviously it is just a joke certificate, which means that it doesn't need to be completely unforgeable. Nevertheless I would like to make it a little bit more difficult than solving my puzzle. However I don't want to go as far as setting up a server that stores all certificates in a secure database for verification purposes. That would be too much work and then I also have to change my privacy policy.
The way I imagined the certificate would be as follows:
- The certificate shows some personal information about the certificate holder like the name, so it can be verified easily that they are the one who earned the certificate.
- The certificate also contains some kind of signature generated by my app, which depends on all the information that is visible on the certificate. A forger should have a hard time creating this signature, but it should be "easy" to verify that it is the correct signature.
The first thing that came in my mind was to use some kind of encryption scheme. Since I am no expert on encryption, I came up with probably the most well known type of encryption scheme: RSA encryption. I know what you are thinking and yes I know that RSA encryption is not meant to be used for this. That is why I had one slight modification in mind to make it work for my purposes:
- Encryption key is private
- Decryption key is public
- Both the "message" and the encrypted "message" will be public
Now let me explain how it would work step by step:
- I generate the prime numbers, keys, and everything else I need for RSA encryption and hardcode everything into my app.
- Someone earns a certificate and fills in their name, birthdate, favorite color...
- The app adds the current datetime (and maybe some other values that will probably be unique) as readable information to the certificate.
- The app takes all readable information from steps 2 and 3 and creates a big number from it that is likely to be unique. The way this is done will be public information for verification purposes.
- The app encrypts this big number with the secret encryption key.
- The encrypted number will be added to the certificate as some kind of QR code in the corner.
For verification purposes someone could repeat steps 1 to 4 to recreate the big number and reverse steps 6 and 5 to create the another big number. If the two big numbers match then the certificate is considered to be valid. Since the encryption key is a secret, it should be hard to forge a certificate.
Here are my questions:
- Would this actually work as I intended to or is there some reason why this would fail?
- Is there a better/easier way of doing this sort of thing? Maybe not with RSA?
Use a digital signature algorithm like ECDSA instead.