160 likes | 391 Views
DoT Face Value Document. Ver 1.0 17 August 2014. The Face Value Document. The Face Value Document is a secured paper document used by DoT for all its security documents. The current document is similar to a Bank Cheque.
E N D
DoT Face Value Document Ver 1.0 17 August 2014
The Face Value Document The Face Value Document is a secured paper document used by DoT for all its security documents. The current document is similar to a Bank Cheque. A proposed security upgrade may add RFID to the paper; the eFVD – electronic face value document. The iDocTrust solution provides superior integrity to the FVD and a seamless upgrade to the eFVD. A secure document must be field verifiable under all conditions: offline with standard equipment. The security layers of a verifiable document: • Secure Paper: water marks, invisible inks, fibres, … • Paper traceability: unique machine readable encoding of the blank paper. • Data verifiability: human and machine readable.
Security layers of the FVD • Secure Paper: water marks, invisible inks, fibers, … • Very good: human and machine verifiable. • Paper traceability number: unique machine readable encoding of the blank paper. • Very good: The code is added and recorded by eNaTIS when the blank is manufactured. • Not good enough: The code is used in the distribution of the paper by the state printer, but only on a bulk level. • Weak: It is not use by eNaTIS when the document is issued. • Data verifiability: human and machine readable • Not good enough: A PDF417 barcode contain the data as on the FVD.It is difficult to read with standard devices like smart phones. • Weak: It is not encrypted, it is badly encoded resulting a very big barcode. It can easily be changed. • Weak: Special devices must be used to read this barcode. • Weak: Still need to onlineverify the vehicle data. Therefore the public can not be held accountable not support the affords to legitimize the vehicle fleet.
Online Database Systems are vulnerable and can be changed without trace! • Works well with: • Clearly defined workflow • Reliable connectivity • Single entity control None of the above is fully satisfied for the FVD services and use cases. • But; • Collusion, misconduct, hacking and incompetence may change the database without trace! • The public has no ability to prove, protect or correct a incorrect database. • Denial of service when network or DB is down or not available. • Cost of protecting an online DB is very high especially when the public needs access to it. Control DB MIS Check point Check point Check point Check point The Public
SANS1368: AutoID DigSig SOUTH AFRICAN NATIONAL STANDARD SANS1368 Automatic Identification and Data Capture Techniques – Data Structures – Digital Signature Meta Structure
SANS1368: International Acclaim • SANS1368 was published by SABS in Jan 2014 after 4 years of local and international contributions. • Since its publication the following countries have shown interest in it: • Germany: Implemented in the IDeTRUST system for vehicle identification. • Netherlands for use in RFID tags on vehicles. • Panama: Freight control. • SADC: Trade corridor document protection. • Nigeria: Protection of education documents and share documents. • South Africa: Implemented at North West University to protect course certificates. • Turkey: For use in RFID tags on vehicles. • Pakistan: All vehicle identification documents, both paper and RFID. • Russia: Public Transport vehicles – RFID • Swaziland: All state issued permits and certificates. • Australia: Barcode and RFID on vehicle registration plates. • New Zealand: Barcode and RFID on vehicle registration plates. • In June ISO/IEC JTC1 SC31 requested South Africa to lodge SANS1368 to ISO it will now become an International Standard.
SANS1368 the Solution Enabler SANS1368 specifies a standard way to embed a Digital Signature in a QR code allowing for the reading and verification of the Digital Signature using a smart phone, without the requirement to connect to a data base (offline). Digital Signatures (advance electronic signatures) is defined by the South African Electronic Communications and Transaction Act to be prima facia Evidense. • SANS1368 Digital Signatures allows for the verification of documents independent from the source in either an electronic or an physical format; avoiding both cost, ease of use and security penalties. • The issuing of a SANS1368 Digital Signatures can easily be recorded independently of any other systems, creating an effective audit trail of all signatures issued. • Signature control can be obtained by adding credential management to the Digital Signature issuing process. • Full interoperability between barcodes and RFID provides for future proofing of all systems and services. • No lock in with proprietary systems.
Public Keys: Digital Signatures The Digital Certificate contains the Digital Signature Specimen (the Public Key)for offline verification. Each document is individually signed with a Digital Signature using the Private Key. If the Digital Signature verifies, then the document is authentic. Trust Services
Document Example This is an URI-Text example. http://www.nwu.ac.za/verify/?C=1002&D=[["IOVbnNHSe7FMWqtMQNAtuwo3bgY=",1365601202],["cem","EL BUTHELEZI","7204085458082","CEM-01.1",[15,"aug","2011"],"compl",""]] The DigSig QR can be read by a standard barcode reader. The decryption verification is typically done online. When read by the Smart Phone App, the verification is done offline.
RFID & Barcode Example This example uses both a QR and UHF RFID (6C). The DigSig stored on the 6C tag also contains the TID. Copying of the data can be detected and verified offline. The same data is represented in: • DigSig RAW envelope • DigSig URI-RAW envelope • DigSig URI-TEXT envelope DigSig RAW can only be read and verified with SANS1358 compliant software. ��X=0Y���k���e0��Q˒.�,�Y` P� http://sbox.idoctrust.com/verify/?C=2814&D=[["IEsAR6YLM7s9zXa4mqymFVtKOXI=",1349481600],[1234567890,"AA 99 AA"]] http://sbox.idoctrust.com/verify/?C=2814&B=IEsAR6YLM7s9zXa4mqymFVtKOXJF0mWAtIssAooAssA=
Current issues Some of the main issues with face value documents are: • Theft of blank FVDs – this is a bad situation since the security of the FVD is currently seated in the blank paper. • The stolen FVDs is used for the creation of fraudulent licenses and registrations. • Collusion allows for washing of stolen vehicles using fraudulent papers. • Field verification – this is the main limiting factor allow for illegal vehicles and drivers on or roads. • Human verifying of a license disk to be genuine is virtually impossible due to print fading and the fact that the license disk is cut and attached to the windscreen. • Online verification is limited to Police and again limited by connectivity and time constraints. The result is that the vehicle fleet is not inspected allowing the criminal activities.
Old school solutions do not work! Convergence and access to technologies have made old school solutions ineffective! A compliant environment requires: • Regular inspection, in the field, of all documents. The old school systems limits the volume and frequency of inspection that can take place. • Public participation and accountability is crucial. The public must be enabled to detect a false document. Centralized code databases are an example of old school solutions. • These systems are proprietary often protected by patents. • These system only allows for the inspection of the paper. • The inspections are very limited and in the end difficult to do. • Only online verifications can be done; the access and security for such verifications consumes continuously a serious amount of money. Hack this code database makes the whole system fails. • These systems claims to protect the information, but then it needs to copy parts of eNaTIS. You can only have one source of truth, By law eNaTIS is that source of truth. Proof of the failure of Centralized code databases are: • The current FVD security code, though eNatis is one of the best vehicle registration systems in the world. • Education documents, even though universities have online systems for verification.
iDocTrust Solution Encrypt the FVD content PDF417 barcode with SANS1368 at the time of issue. Recommend the change from PDF417 to QR. QR is the de facto barcode for phones. Recommend the inclusion of the FVD security code into the SANS1368 code. The system provides the following functions: • Record the person who performs the issuing of the FVD. The current eNaTIS credential management may be used. Fingerprint scanning, smart card authentication, etc. is available. • Allow public to verify the FVD using a smart phone and the SANS1368 code. • Record (in a store and forward manner) where, at what time and by whom vehicles/FVDs are verified Vehicle Spotting Database. Optionally provide a Vehicle Spotting System compliant with SANS24535.
Implementation Alternatives Add the iDocTrust engine to eNaTIS eNaTIS sends the FVD content barcode to the SANS1368 engine for digital signing. Implement the iDocTrust at the issuing point The iDocTrust system intercepts and digitally sign the FVD at the issuing point. eNaTIS eNaTIS SANS1368 Signer SANS1368 Signer Issue point Issue point Issue point Issue point Issue point Issue point SANS1368 Verifier SANS1368 Verifier SANS1368 Verifier SANS1368 Verifier Local system Local system Local system Local system
Benefits of the iDocTrust Solution • SANS1368 compliant. • Requires no additional field devices – smart phones do the work. • Provides full interoperability and future proofing. • Domains; vehicle registration, education eGov, freight and logistics, … • Data; number plates, vehicle registration and licenses, driver licenses, freight d • Technology; barcodes (PDF417, QR, …) and RFID (UHF, NFC, …) • Provides for both off and online verification of the integrity of the document. • Minimum impact on eNITS. • eNaTIS remains the source of vehicle registration truth. • Full protection of both the paper and the information on the paper. • Full audit trail and control on who issue and verify FVDs. • Supports all documents and number plates.
Thank You info@idoctrust.com www.idoctrust.com