# Secure communication

Executive summary
**Ripple Custody protects all communications with multiple cryptographic layers: TLS, JWT authentication, mTLS, and application-layer signing.**

- **TLS 1.2+** encrypts all network traffic between components.
- **JWT tokens** authenticate every API request with cryptographic signatures.
- **mTLS** provides mutual authentication for critical components (notary, vault).
- **Application signing** ensures message integrity between notary and vault.


Why this matters
Communication security prevents man-in-the-middle attacks, credential theft, and message tampering. Even if an attacker gains network access, the layered security model ensures they cannot intercept sensitive data or forge authorized requests. This is essential for meeting SOC 2, ISO 27001, and other security compliance requirements.

**For architects and operators**: You are responsible for providing TLS certificates and configuring your PKI. Plan certificate rotation procedures before deployment. Ensure your network infrastructure supports mTLS for notary-vault communication.

Prerequisites
Before reading this page, you should understand:

- [Security architecture](/products/custody/v1.34/concepts/security) - The overall security model and zero-trust principles


## Overview

The platform implements defense-in-depth for all communications:

| Layer | Protection | Purpose |
|  --- | --- | --- |
| **Transport** | TLS 1.2+ | Encrypts all network traffic |
| **Identity** | JWT tokens | Authenticates API requests |
| **Mutual authentication** | mTLS certificates | Verifies both client and server for critical components |
| **Application** | Digital signatures | Ensures message integrity and non-repudiation |


Key Takeaway
These controls work together to prevent **man-in-the-middle attacks**. Even if an attacker intercepts network traffic, they cannot decrypt it (TLS), impersonate a user (JWT signatures), or impersonate a trusted component (mTLS certificates). Messages between the notary and vault are additionally signed at the application layer, providing defense-in-depth.

## Authentication

### JWT authentication

A **JSON Web Token (JWT)** is a compact, digitally signed token that proves a user's identity without requiring the server to look up session data. Think of it as a tamper-proof ID badge: it contains claims about who you are, is signed by a trusted authority, and can be verified by any component that trusts that authority.

All requests to the API backend must authenticate using a JWT passed as a bearer token.

| Aspect | Details |
|  --- | --- |
| **Identity provider** | The Authentication Server (a dedicated OIDC server) verifies user identity and issues JWTs |
| **Token expiration** | Default is four hours |
| **Obtaining a JWT** | Challenge-response: user signs a random challenge with their private key; server validates and returns JWT |
| **Challenge reuse** | Challenges can only be used once to prevent replay attacks |


### Digital signatures for authorization

Any request (Intent) to change the system state requires a digital signature. This proves the request came from the claimed user and has not been modified.

**How it works**: The user's application creates a unique "fingerprint" of the request and signs it with their private key. The platform verifies this signature using the user's registered public key. If even one character of the request was changed, the signature becomes invalid.

**Technical process:**

1. **Canonicalization**: Request body converted to canonical JSON (spaces removed, properties sorted, null values removed).
2. **Hashing**: Canonical JSON hashed using SHA-256.
3. **Signing**: Hash signed using the user's private key (stored externally—never communicated to the platform).
4. **Encoding**: Signature serialized in DER format with Base64 encoding.


The notary verifies this signature against the user's registered public key. This prevents both impersonation and tampering.

## Network security

### Mutual TLS (mTLS)

Standard TLS (Transport Layer Security) is one-way: the client verifies the server's certificate, but the server doesn't verify the client. **Mutual TLS (mTLS)** requires both parties to present and verify certificates — each side proves its identity to the other before any data is exchanged.

Ripple Custody uses mTLS for communication between critical components (notary, vault) to ensure that even if an attacker gains network access, they cannot impersonate a trusted component.

### Your internal PKI

You must provide TLS entities from your internal PKI:

- CA certificate
- Server certificate
- Server certificate key


These secure the four ingress endpoints:

Note
The endpoints below are examples. Replace `open-shift-cluster-domain` with your actual OpenShift cluster domain.

| Endpoint | Purpose |
|  --- | --- |
| `api.<cluster-domain>` | API Gateway |
| `frontend.<cluster-domain>` | Web UI |
| `auth.<cluster-domain>` | Authentication Server |
| `notary-bridge.<cluster-domain>` | notary Bridge |


### Internal platform communication

Communication between core components (on OpenShift) and secure components (notary/vault on HPVS) uses:

| Mechanism | Description |
|  --- | --- |
| **Application-layer mutual trust** | End-to-end encrypted connection between vault and notary |
| **Signed messages** | Information exchanged is signed and verified on both ends |
| **Key exchange at setup** | A key exchange during system setup builds the chain of trust |


### Dependency connections

Connections to infrastructure services you provide:

| Service | Purpose | Security |
|  --- | --- | --- |
| **KMS/HSM** | Cryptographic signing operations | mTLS or HSM-specific secure protocol |
| **PostgreSQL** | Data storage | TLS; data integrity verified cryptographically by notary |
| **AMQP (RabbitMQ)** | Async message queue | TLS |
| **Container registry** | Container image distribution | TLS; image signatures verified |


### Blockchain connections

| Connection | Description |
|  --- | --- |
| **Indexer to node** | Chain-specific indexers monitor your blockchain nodes (direct or via http_proxy; Bitcoin supports socks5) |
| **Transaction broadcast** | Ledger Accounting Service broadcasts signed transactions |


## The security lifecycle in practice

A typical governed transaction follows this flow:


```mermaid
sequenceDiagram
    participant User
    participant API as API Gateway
    participant Auth as Auth Server
    participant Notary
    participant Vault
    participant KMS

    User->>Auth: 1. Authenticate (challenge-response)
    Auth-->>User: JWT token

    User->>API: 2. Submit signed Intent (JWT + TLS)
    API->>Notary: 3. Forward Intent (mTLS)

    Notary->>Notary: 4. Verify user signature
    Notary->>Notary: 5. Check policies & Merkle tree
    Notary->>Notary: 6. Verify ARF version

    Notary->>Vault: 7. Request signing (mTLS + signed message)
    Vault->>KMS: 8. Sign transaction
    KMS-->>Vault: 9. Return signature only

    Vault-->>Notary: 10. Signed transaction
    Notary->>Notary: 11. Update Merkle tree & ARF
```

| Step | Security Controls |
|  --- | --- |
| 1-2 | TLS encryption, JWT authentication, digital signature |
| 3-6 | mTLS, signature verification, state validation |
| 7-9 | mTLS, application-layer signing, key isolation |
| 10-11 | Cryptographic state commitment |


## Glossary

| Term | Definition |
|  --- | --- |
| **ARF** | Anti-rewind file. A cryptographically protected file that tracks the current state version to prevent replay attacks. See [Data integrity](/products/custody/v1.34/concepts/data-integrity#anti-rewind-file-arf). |
| **Bearer token** | An authentication token included in HTTP request headers. Anyone "bearing" the token can use it, so it must be transmitted over TLS. |
| **Canonical JSON** | A standardized JSON format with sorted keys and no whitespace, ensuring the same data always produces the same byte sequence for signing. |
| **DER format** | Distinguished Encoding Rules. A binary encoding for cryptographic data structures like signatures and certificates. |
| **Intent** | A signed request to change system state (e.g., transfer funds, update a policy). |
| **JWT** | JSON Web Token. A compact, signed token containing identity claims, used for stateless authentication. |
| **mTLS** | Mutual TLS. A TLS connection where both client and server present certificates and verify each other's identity. |
| **OIDC** | OpenID Connect. An identity layer built on OAuth 2.0 that enables authentication and identity verification. |
| **PKI** | Public Key Infrastructure. A system of certificates, certificate authorities, and trust relationships used to verify identities. |
| **TLS** | Transport Layer Security. A cryptographic protocol that encrypts network traffic and verifies server identity. |