secunet Security Networks AG

Digital Seal Strong Protection for

Non-electronic Documents
London
27.02.2013

Motivation
Electronically enabled documents allow strong protection
- Cryptographic mechanisms, hardware-based security
- Verification of document authenticity & integrity
- Biometric verification of holders identity
Protection of non-electronic documents is challenging
- Large variety of optically verifiable features
- Detection of forgeries and manipulation requires careful examination
- Non-individualized features dont protect against theft of blank documents
Examples
- Breeder documents (e.g. birth certificates)
- Emergency passports / ID cards
- Visas

The Digital Seal

Data stored in bar code, typically 2-dimensional

Digital signature of issuer

Strong cryptographic protection of document authenticity and integrity

Allows verification of visible document contents

Text, facial image, etc.

Verification based of optical scans (visible, IR, UV)

Error correction to compensate noise resulting from

-

Capturing

Wear & tear

Storage of other verification data

Meta data, e.g. document type, issuer

Option: Biometric data

The Digital Seal

General mechanism developed by
- Federal Office for Information Security (BSI)
- Federal Criminal Police Office (BKA)
- secunet Security Networks
Specified in Technical Guideline of BSI
Prototype implementation by secunet

Example Birth Certificate

Typical reading device:

- Flatbed scanner
- Only visible light

Example Emergency Passport

Typical reading device:

- ePassport reader
- Capturing under IR light can reduce distortions,
e.g. by background

Document Issuance

Document Verification

Challenges and Solutions

Inaccuracy of optical reading

- Noise introduced by printing and optical reading
- Distortions introduced by wear & tear, e.g. scribbling, stamps, crumpling
- OCR errors

Error correction / tolerance

- Bar code uses error-correcting encoding
- Storage of auxiliary data for error correction of optical content
- E.g. check bits / error-correction bits
- Restriction to most robust/relevant features
- E.g. biometric face features in facial image
9

Challenges and Solutions

Limited storage capacity

- E.g. 277 Bytes for a 64x64 Data Matrix bar code
- Available space and required robustness do not allow higher dimensions

Compact storage
- Compact encoding of data container
- Short digital signatures, e.g. ECDSA
- Compact representation of feature data
- Restriction to auxiliary data for correction of scanned features
- Feature data not stored in bar code but only recovered from scan
- Recovered feature data verified by means of digital signature

10

Challenges and Solutions

Privacy of biometric data

- No access control possible to barcode
- No secret keys should be needed for verification

Biometric template protection

- Stored reference data allows verification of live sample
- But: does not reveal biometric features
- Key-less

11

Technical Guideline TR-03137

General description (informative)

- Processes for generation and verification
- Methods for error correction / tolerance
- Approaches for feature verification

Requirements for processing

- Printing, optical reading, bar code
- Digital signature and certificates
- Processing of features
- Biometric tempate protection

Requirements for document profiles

- Contents of profiles
- XML syntax for profile information

Encoding of the data container

Examples (informative)
12

Prototype Application

Based on secunets biomiddle architekture

- BSPs and BioMiddle-Provider

Generates and verifies EU visa with digital seal

- 64x64 Data Matrix bar code
- ECDSA-256 signature
- Encoding according to TR-03137

Used Features
- Facial image
- MRZ with correction of up to 4 characters
- Fingerprints (optional) using biometric template protection techniques
- Face and fingerprint verification provided by GenKey

Segmentation and OCR provied by Regula

Verification integrated into secunets Golden Reader Tool Platinum Edition

13

Prototype Application: Document Generation

14

Prototype Application: Successful Verification

15

Prototype Application: Failed Verification

16

Any Questions?
Dr. Johannes Merkle
secunet Security Networks AG
Principal
+49 201 5454-3091
Johannes.merkle@secunet.com