Ed25519 Digital Signatures
Ed25519 is a modern elliptic curve digital signature algorithm that provides excellent security with exceptional performance.
Why Ed25519?
| Property | Benefit |
|---|---|
| Fast | Signature generation and verification in microseconds |
| Secure | 128-bit security level, resistant to all known attacks |
| Small Keys | 32-byte public keys, 64-byte signatures |
| Deterministic | Same input always produces the same signature |
| Side-channel Resistant | Designed to resist timing attacks |
How It Works
The diagram below shows the complete Ed25519 flow from key generation through signing and verification:
Fig. 1 – Ed25519 key generation, signing, and verification process
Key Generation
InTunnel generates an Ed25519 keypair on first startup. The private key is stored securely on the server and never transmitted. The public key is available via the API for verification.
Token Structure
InTunnel tokens contain:
{
"header": {
"alg": "Ed25519",
"typ": "IT"
},
"payload": {
"sub": "user_id",
"iat": 1699900000,
"exp": 1699986400,
"jti": "unique_token_id",
"permissions": ["tunnel:read", "tunnel:write"]
},
"signature": "base64_encoded_ed25519_signature"
}Verifying Tokens
Get the Public Key
curl https://intunnel.cloud/api/security/public-key{
"public_key": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA...\n-----END PUBLIC KEY-----",
"key_id": "0fe1d58d053ee6dc",
"algorithm": "Ed25519"
}Python Verification Example
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
import base64
# Load the public key
public_key_pem = """-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----"""
public_key = serialization.load_pem_public_key(
public_key_pem.encode()
)
# Verify a signature
message = b"token_payload_here"
signature = base64.b64decode("signature_base64")
try:
public_key.verify(signature, message)
print("Valid signature!")
except Exception:
print("Invalid signature!")Node.js Verification Example
const crypto = require('crypto');
const publicKeyPem = `-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----`;
const message = Buffer.from('token_payload_here');
const signature = Buffer.from('signature_base64', 'base64');
const isValid = crypto.verify(
null,
message,
publicKeyPem,
signature
);
console.log(isValid ? 'Valid!' : 'Invalid!');Key Rotation
InTunnel supports key rotation for enhanced security:
- New keypair is generated
- Old public key remains valid for verification during transition
- New tokens are signed with the new key
- Old key is retired after grace period
Security Note
The private key never leaves the server. All signing operations happen server-side. Only the public key is distributed for verification purposes.
Comparison with Other Algorithms
| Algorithm | Key Size | Signature Size | Security | Performance |
|---|---|---|---|---|
| Ed25519 | 32 bytes | 64 bytes | 128-bit | Excellent |
| RSA-2048 | 256 bytes | 256 bytes | 112-bit | Slow |
| ECDSA P-256 | 32 bytes | 64 bytes | 128-bit | Good |
| HMAC-SHA256 | Symmetric | 32 bytes | 128-bit | Fast |
Ed25519 offers the best combination of security, key size, and performance for our use case.