DoT Face Value Document
Ver 1.0
17 August 2014
Copyright
© iDocTrust all rights reserved
The Face Value Document
2 – Face Value Documents – August 2014 © 2014
The Face Value Document is a secured paper document
used by DoT for all its security documents.
The current document is similar to a Bank Cheque.
A proposed security upgrade may add RFID to the
paper; the eFVD – electronic face value document.
The iDocTrust solution provides superior integrity to the
FVD and a seamless upgrade to the eFVD.
A secure document must be field verifiable under all
conditions: offline with standard equipment.
The security layers of a verifiable document:
1.Secure Paper: water marks, invisible inks, fibres, …
2.Paper traceability: unique machine readable encoding
of the blank paper.
3.Data verifiability: human and machine readable.
Security layers of the FVD
3 – Face Value Documents – August 2014 © 2014
1.
Secure Paper: water marks, invisible inks, fibers, …
 Very good: human and machine verifiable.
2.
Paper traceability number: unique machine readable encoding of
the blank paper.
 Very good: The code is added and recorded by eNaTIS when the blank is
manufactured.

Not good enough: The code is used in the distribution of the paper by the
state printer, but only on a bulk level.
X Weak: It is not use by eNaTIS when the document is issued.
3.
Data verifiability: human and machine readable

Not good enough: A PDF417 barcode contain the data as on the FVD.
It is difficult to read with standard devices like smart phones.
X Weak: It is not encrypted, it is badly encoded resulting a very big barcode.
It can easily be changed.
X Weak: Special devices must be used to read this barcode.
X Weak: Still need to online verify the vehicle data. Therefore the public
can not be held accountable not support the affords to legitimize the
vehicle fleet.
Online Database Systems are vulnerable and
can be changed without trace!
4 – Face Value Documents – August 2014 © 2014
Works well with:
– Clearly defined workflow
– Reliable connectivity
– Single entity control
None of the above is fully satisfied for the FVD
services and use cases.
•
But;
– Collusion, misconduct, hacking and
incompetence may change the database
without trace!
– The public has no ability to prove, protect or
correct a incorrect database.
– Denial of service when network or DB is down
or not available.
– Cost of protecting an online DB is very high
especially when the public needs access to it.
Control
DB
MIS
Check
point
•
Check
point
The Public
Check
point
Check
point
SANS1368: AutoID DigSig
5 – Face Value Documents – August 2014 © 2014
SOUTH AFRICAN NATIONAL STANDARD SANS1368
Automatic Identification and Data Capture Techniques – Data Structures –
Digital Signature Meta Structure
SANS1368: International Acclaim
6 – Face Value Documents – August 2014 © 2014
•
SANS1368 was published by SABS in Jan 2014 after 4 years of local and
international contributions.
•
Since its publication the following countries have shown interest in it:
•
–
Germany: Implemented in the IDeTRUST system for vehicle identification.
–
Netherlands for use in RFID tags on vehicles.
–
Panama: Freight control.
–
SADC: Trade corridor document protection.
–
Nigeria: Protection of education documents and share documents.
–
South Africa: Implemented at North West University to protect course certificates.
–
Turkey: For use in RFID tags on vehicles.
–
Pakistan: All vehicle identification documents, both paper and RFID.
–
Russia: Public Transport vehicles – RFID
–
Swaziland: All state issued permits and certificates.
–
Australia: Barcode and RFID on vehicle registration plates.
–
New Zealand: Barcode and RFID on vehicle registration plates.
In June ISO/IEC JTC1 SC31 requested South Africa to lodge SANS1368 to ISO
 it will now become an International Standard.
SANS1368 the Solution Enabler
7 – Face Value Documents – August 2014 © 2014
SANS1368 specifies a standard way to embed a Digital Signature in a QR code allowing for the
reading and verification of the Digital Signature using a smart phone, without the requirement to
connect to a data base (offline).
Digital Signatures (advance electronic signatures) is defined by the South African Electronic
Communications and Transaction Act to be prima facia Evidense.
•
SANS1368 Digital Signatures allows for the verification of documents independent from the
source in either an electronic or an physical format; avoiding both cost, ease of use and security
penalties.
•
The issuing of a SANS1368 Digital Signatures can easily be recorded independently of any
other systems, creating an effective audit trail of all signatures issued.
•
Signature control can be obtained by adding credential management to the Digital Signature
issuing process.
•
Full interoperability between barcodes and RFID provides for future proofing of all systems and
services.
•
No lock in with proprietary systems.
Public Keys: Digital Signatures
8 – Face Value Documents – August 2014 © 2014
Trust Services
The Digital Certificate contains the
Digital Signature Specimen (the Public Key)
for offline verification.
Each document is
individually signed
with a Digital Signature
using the Private Key.
If the Digital Signature verifies,
then the document is authentic.
8
Document Example
9 – Face Value Documents – August 2014 © 2014
This is an URI-Text example.
http://www.nwu.ac.za/verify/?C=1002&
D=[["IOVbnNHSe7FMWqtMQNAtuwo3bgY=",13656012
02],["cem","EL BUTHELEZI",
"7204085458082","CEM-01.1",
[15,"aug","2011"],"compl",""]]
The DigSig QR can be read by a standard
barcode reader. The decryption verification is
typically done online.
When read by the Smart Phone App, the
verification is done offline.
RFID & Barcode Example
10 – Face Value Documents – August 2014 © 2014
This example uses both a QR and UHF RFID
(6C). The DigSig stored on the 6C tag also
contains the TID. Copying of the data can be
detected and verified offline.
��X=0Y���k���
e0��Q˒.�,�Y` P�
http://sbox.idoctrust.com/verify/?C=2814&B=IE
sAR6YLM7s9zXa4mqymFVtKOXJF0mWAtIss
AooAssA=
The same data is represented in:
• DigSig RAW envelope
• DigSig URI-RAW envelope
• DigSig URI-TEXT envelope
DigSig RAW can only be read and verified with
SANS1358 compliant software.
http://sbox.idoctrust.com/verify/?C=2814&
D=[["IEsAR6YLM7s9zXa4mqymFVtKOXI=",
1349481600],[1234567890,"AA 99 AA"]]
Current issues
11 – Face Value Documents – August 2014 © 2014
Some of the main issues with face value documents are:
•
•
Theft of blank FVDs – this is a bad situation since the security of the FVD is currently seated in
the blank paper.
–
The stolen FVDs is used for the creation of fraudulent licenses and registrations.
–
Collusion allows for washing of stolen vehicles using fraudulent papers.
Field verification – this is the main limiting factor allow for illegal vehicles and drivers on or
roads.
–
Human verifying of a license disk to be genuine is virtually impossible due to print fading and the fact
that the license disk is cut and attached to the windscreen.
–
Online verification is limited to Police and again limited by connectivity and time constraints.
The result is that the vehicle fleet is not inspected allowing the criminal activities.
Old school solutions do not work!
12 – Face Value Documents – August 2014 © 2014
Convergence and access to technologies have made old school solutions ineffective!
A compliant environment requires:
1.Regular inspection, in the field, of all documents. The old school systems limits the volume and frequency of
inspection that can take place.
2.Public participation and accountability is crucial. The public must be enabled to detect a false document.
Centralized code databases are an example of old school solutions.
•These systems are proprietary often protected by patents.
•These system only allows for the inspection of the paper.
•The inspections are very limited and in the end difficult to do.
•Only online verifications can be done; the access and security for such verifications consumes continuously a
serious amount of money. Hack this code database makes the whole system fails.
•These systems claims to protect the information, but then it needs to copy parts of eNaTIS. You can only have
one source of truth, By law eNaTIS is that source of truth.
Proof of the failure of Centralized code databases are:
•The current FVD security code, though eNatis is one of the best vehicle registration systems in the world.
•Education documents, even though universities have online systems for verification.
iDocTrust Solution
13 – Face Value Documents – August 2014 © 2014
Encrypt the FVD content PDF417 barcode with SANS1368 at the time of issue.
Recommend the change from PDF417 to QR. QR is the de facto barcode for phones.
Recommend the inclusion of the FVD security code into the SANS1368 code.
The system provides the following functions:
•
Record the person who performs the issuing of the FVD.
The current eNaTIS credential management may be used.
Fingerprint scanning, smart card authentication, etc. is available.
•
•
Allow public to verify the FVD using a smart phone and the SANS1368 code.
Record (in a store and forward manner) where, at what time and by whom vehicles/FVDs are verified 
Vehicle Spotting Database.
Optionally provide a Vehicle Spotting System
compliant with SANS24535.
Implementation Alternatives
14 – Face Value Documents – August 2014 © 2014
Add the iDocTrust engine to eNaTIS
eNaTIS sends the FVD content barcode to the
SANS1368 engine for digital signing.
SANS1368
Signer
Issue
point
The iDocTrust system intercepts and
digitally sign the FVD at the issuing point.
SANS1368
Signer
eNaTIS
Issue
point
Implement the iDocTrust at the issuing point
Issue
point
eNaTIS
Issue
point
Issue
point
Issue
point
SANS1368
Verifier
SANS1368
Verifier
SANS1368
Verifier
SANS1368
Verifier
Local
system
Local
system
Local
system
Local
system
Benefits of the iDocTrust Solution
15 – Face Value Documents – August 2014 © 2014
•
SANS1368 compliant.
•
Requires no additional field devices – smart phones do the work.
•
Provides full interoperability and future proofing.
–
–
–
Domains; vehicle registration, education eGov, freight and logistics, …
Data; number plates, vehicle registration and licenses, driver licenses, freight d
Technology; barcodes (PDF417, QR, …) and RFID (UHF, NFC, …)
•
Provides for both off and online verification of the integrity of the document.
•
Minimum impact on eNITS.
•
eNaTIS remains the source of vehicle registration truth.
•
Full protection of both the paper and the information on the paper.
•
Full audit trail and control on who issue and verify FVDs.
•
Supports all documents and number plates.
Thank You
[email protected]
www.idoctrust.com
Copyright
© iDocTrust all rights reserved