Back

Security & Verification Overview

Understanding AcadCert's cryptographic architecture

Cryptographically Secure Verification

AcadCert uses industry-standard RSA-4096 cryptographic signatures to ensure credential authenticity, integrity, and non-repudiation. Every verification performs three independent security checks.

1. Cryptographic Signature Model

RSA-4096 Digital Signatures

All credentials are signed using RSA-4096, providing:

  • Authenticity: Confirms the credential originated from the claimed institution
  • Integrity: Detects any modification to the document after signing
  • Non-repudiation: Prevents the institution from denying issuance
Technical Note: RSA-4096 provides approximately 160 bits of security strength, making it resistant to current and near-future cryptanalysis attempts.

2. Institution Root Keys & Cryptographic Isolation

Each institution is assigned a unique cryptographic root identity:

  • All credentials must chain to the institution's root key
  • Private keys are securely protected and never exposed to issuers or students
  • Key versioning supports cryptographic rotation without invalidating historical credentials
  • Cryptographic isolation prevents cross-institution access or forgery
Protected

Institution private keys are encrypted at rest and never leave the secure server environment.

Prevented

Compromised issuer accounts alone cannot generate valid credentials without access to institution keys.

3. System-Controlled Signing Model

Credential signing is performed at the platform level:

  • Individual issuers do not have access to signing keys
  • Issuer identity and authorisation status are recorded at issuance
  • Compromised issuer accounts alone cannot generate valid credentials

Security Benefit:

This design reduces insider risk while preserving accountability. Even if an issuer account is compromised, the attacker cannot create cryptographically valid credentials.

4. Three-Layer Verification Model

Every verification, whether on AcadCert or VeriCert, performs three independent checks:

1

Cryptographic Integrity

Confirms the signature matches the document content using the correct institutional public key.

2

Issuing Authority

Confirms the institution authorised the issuer at the time of issuance.

3

Revocation Status

Confirms the credential has not been revoked or superseded.

Critical: All Checks Must Pass

A credential is considered INVALID if any verification step fails. This ensures comprehensive security.

5. Threat Model Considerations

The system is designed to remain secure under common threat scenarios:

Compromised Issuer Accounts

Cannot generate valid credentials without institution signing keys

Insider Misuse

Audit logs track all credential operations with issuer attribution

External Redistribution

Public verification via VeriCert works on any copy of the credential

Document Tampering

Any modification invalidates the cryptographic signature immediately

Independent Verification

Verification through VeriCert does not require access to a student account and can be performed independently by employers, institutions, or any third party.

Privacy PolicyBack