The registration process for a user involves uploading their public keys for two cryptographic algorithms: Curve25519 and Ed25519. These algorithms are used for secure communication and digital signatures. The user's public keys are sent to the push messaging server, which is a service that delivers messages to the user's device. The server has a public key for an elliptic curve algorithm (ECC) that is hardcoded in the user's device. The user's device encrypts the public keys with the server's public key before sending them. This way, only the server can decrypt them with its private key. If the server already has a record of the user's public keys, it means that the user has registered before. In that case, the user is advised to generate a new pair of public and private keys for both algorithms. The user can do this by changing some aspect of their login credentials, such as their username, email address or password. The private keys are derived from the login credentials using a hash function. The private keys are never stored on the server or anywhere else (assuming that the system is trustworthy) and they are only recreated when the user enters their login credentials again. The private keys are used to decrypt messages from the server and to sign messages to the server.
The push messaging server acts as a mediator between the user and other parties that want to communicate with the user. For example, a website that the user subscribes to may want to send notifications to the user's device. The website can use the push messaging server to deliver the notifications without knowing the user's device address or public keys. The website only needs to know the user's identifier, which is a unique string that the server assigns to each user.
When the website wants to send a notification to the user, it first requests the user's public keys from the push messaging server using the user's identifier. The server responds with the encrypted public keys, which the website can decrypt with the server's public key. The website then encrypts the notification with the user's public Curve25519 key and signs it with its own private Ed25519 key. The website sends the encrypted and signed notification to the push messaging server along with the user's identifier. The server forwards the notification to the user's device using a secure channel.
When the user's device receives the notification from the push messaging server, it first verifies the signature with the website's public Ed25519 key. If the signature is valid, it means that the notification came from a trusted source. The device then decrypts the notification with its private Curve25519 key and displays it to the user. The user can also reply to the notification by encrypting and signing a message with their private and public keys respectively. The message is sent back to the push messaging server, which delivers it to the website. 29c81ba772