8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

1/17

secunet Security Networks AG

London

27.02.2013

Digital Seal – Strong Protection for

Non-electronic Documents

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

2/17

2

Motivation ▀  Electronically enabled documents allow strong protection

- Cryptographic mechanisms, hardware-based security

- Verification of document authenticity & integrity

- Biometric verification of holder‘s identity

 ▀  Protection of non-electronic documents is challenging

- Large variety of optically verifiable features

- Detection of forgeries and manipulation requires careful examination- Non-individualized features don‘t protect against theft of blank documents

 ▀  Examples

- Breeder documents (e.g. birth certificates)

- Emergency passports / ID cards

- Visas

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

3/17

3

The Digital Seal ▀  Data stored in bar code, typically 2-dimensional

 ▀  Digital signature of issuer

- Strong cryptographic protection of document authenticity and integrity

 ▀  Allows verification of visible document contents

- Text, facial image, etc.

- Verification based of optical scans (visible, IR, UV)

- Error correction to compensate „noise resulting from

- Capturing

- Wear & tear

 ▀  Storage of other verification data

- Meta data, e.g. document type, issuer

- Option: Biometric data

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

4/17

4

The Digital Seal

 ▀  General mechanism developed by

- Federal Office for Information Security (BSI)

- Federal Criminal Police Office (BKA)

- secunet Security Networks

 ▀  Specified in Technical Guideline of BSI

 ▀  Prototype implementation by secunet

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

5/17

5

Example – Birth Certificate

 ▀  Typical reading device:

- Flatbed scanner

- Only visible light

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

6/17

6

Example – Emergency Passport

 ▀  Typical reading device:

- ePassport reader

- Capturing under IR light can reduce distortions,

e.g. by background

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

7/17

7

Document Issuance

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

8/17

8

Document Verification

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

9/17

9

 ▀  Inaccuracy of optical reading

- Noise introduced by printing and optical reading

- Distortions introduced by wear & tear, e.g. scribbling, stamps, crumpling

- OCR errors

Challenges and Solutions

 ▀  Error correction / tolerance

- Bar code uses error-correcting encoding

- Storage of auxiliary data for error correction of optical content

- E.g. check bits / error-correction bits

- Restriction to most robust/relevant features

- E.g. biometric face features in facial image

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

10/17

10

 ▀  Limited storage capacity

- E.g. 277 Bytes for a 64x64 Data Matrix bar code

- Available space and required robustness do not allow higher dimensions

Challenges and Solutions

 ▀  Compact storage

- Compact encoding of data container

- Short digital signatures, e.g. ECDSA

- Compact representation of feature data

- Restriction to auxiliary data for correction of scanned features

- Feature data not stored in bar code but only recovered from scan

- Recovered feature data verified by means of digital signature

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

11/17

11

 ▀  Privacy of biometric data

- No access control possible to barcode

- No secret keys should be needed for verification

Challenges and Solutions

 ▀  Biometric template protection

- Stored reference data allows verification of live sample

- But: does not reveal biometric features

- Key-less

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

12/17

12

Technical Guideline TR-03137

 ▀  General description (informative)

- Processes for generation and verification

- Methods for error correction / tolerance

- Approaches for feature verification

 ▀  Requirements for processing

- Printing, optical reading, bar code

- Digital signature and certificates

- Processing of features

- Biometric tempate protection

 ▀  Requirements for document profiles

- Contents of profiles

- XML syntax for profile information

 ▀  Encoding of the data container

 ▀  Examples (informative)

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

13/17

13

Prototype Application

 ▀  Based on secunet‘s biomiddle architekture

- BSPs and BioMiddle-Provider

 ▀  Generates and verifies EU visa with digital seal

- 64x64 Data Matrix bar code

- ECDSA-256 signature

- Encoding according to TR-03137

 ▀  Used Features

- Facial image

- MRZ with correction of up to 4 characters

- Fingerprints (optional) using biometric template protection techniques

- Face and fingerprint verification provided by GenKey

 ▀  Segmentation and OCR provied by Regula

 ▀  Verification integrated into secunet‘s Golden Reader Tool Platinum Edition

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

14/17

14

Prototype Application: Document Generation

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

15/17

15

Prototype Application: Successful Verification

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

16/17

16

Prototype Application: Failed Verification

8/17/2019 Johannes_Merkle_-_DigiSeal.pdf

17/17

Any Questions?

Dr. Johannes Merklesecunet Security Networks AG

Principal

+49 201 5454-3091

Johannes.merkle@secunet.com