Developer Information: Public-Key Encryption in LoTW
LoTW uses public-key cryptography to authenticate QSOs submitted by each user. Public-key cryptography employs two separate but mathematically-related keys, one of which is private and one of which is public. Information encrypted with a private key can only be decrypted with its associated public key, proving that the holder of the private key was the source of the information.
When the user directs TQSL to request a Callsign Certificate, TQSL generates a private key and a public key. It stores the private key in the user's computer, and sends the public key to the ARRL. The ARRL creates a Callsign Certificate that links the user's callsign with the public key, and emails the Callsign Certificate to the user in a file with a .tq6 filename extension.
When the user specifies a file to be submitted to LoTW using a specified Station Location, TQSL
- obtains the Callsign Certificate specified by the Station Location
- uses the callsign specified in the Callsign Certificate to select the appropriate private key
- uses this private key to generate an encrypted signature for each QSO, and places the signatures and QSOs in a Digitally Signed Log file with a .tq8 filename extension.
- sends the Digitally Signed Log to the LoTW Server
The LoTW Server decrypts each received QSO signature using your public key, and verifies its consistency with the received QSO -- thereby proving that you are the source of that QSO and that the QSO's details have not been changed.