1

I'm looking for any way to digitally verify a user, ideally with a photo and link PII to that user.

My use case is that a user will extract and send an encrypted data blob (say from a passport) to my server, and my server will verify it's authenticity, and approve access.

From what I can tell, the NFC/passport approach doesn't really encrypt the data in a way that works the way I need it.

I am curious if there are other standards, ID cards that support this. I assume Germany or the Netherlands has something like this, since they have other similar projects.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 4
    I know the US military uses smart cards for their IDs, apparently with X.509 certificates. Is that the kind of thing you mean? – cpast Mar 13 '15 at 20:15
  • Eep! Be careful with this approach. You'll have to protect that PII very, very carefully on your end. So carefully, that you might run into trouble. Any disclosure/breach/stolen laptop of your authentication database, and you have to report to gov't reporting agencies. – schroeder Mar 13 '15 at 20:31
  • I'll be granting approval and tossing the data – makerofthings7 Mar 13 '15 at 20:32
  • Then how are you verify the blob? – schroeder Mar 13 '15 at 21:23
  • 1
    I'm thinking my exposure is limited if I verify the blob, create an application token based on roles. Token can be reused securely. Then toss the blob. Accept the anonymous token thereon. If role change is needed, start over. @schroeder – makerofthings7 Mar 13 '15 at 21:37
  • @cpast yes that would be interesting and a good use case – makerofthings7 Mar 13 '15 at 21:38

1 Answers1

2

Passports does not encrypt data, instead it uses Basic Access Control, as a authentication layer, to prevent access to passport data without authorization. The authentication data required to access the passport is written in the MRZ, so ideally, you would need to optically read the passport to get the "password" to open the RFID chip.

However, passport data is x509 signed, so you can still use it for verification if you want to authenticate a user via its passport, to ensure personal information and passport photo is not fraudulent. Note that you must encrypt the data in transit. Note also that someone can copy the details from the passport and send to your server to impersonate a user if you only do static authentication.

However, passports also support a form of dynamic authentication to do challenge-response authentication of the passport, to ensure it has not being copied, but that requires a Active cooperation of your server, eg your server must actively talk to the passport through a link , for example a mobile phone with NFC that is held against the passport in several seconds during the "signup" process. Basically, its the passport that signs your challenge using a certificate that is embedded in the passport, and thus you can verify the response is correctly signed, and the certificate used for signing is signed by the static certificate that you can verify against the ICAO root.

A mobile phone can be a excellent resource to allow anyone to signup for your service with a passport. They just photo the MRZ with the camera, then they hold the phone against the passport while your server talks to the passport to verify its authenticity, and then, the signup is complete. I guess you then only save the photo and name of the user.

Depending on your security requirements, it might be enough with static authentication.

Note that the password cannot be used itself for any signing or encrypting activites, so if you for example would want the user to be able to use his passport to sign or encrypt anything, you will have to create a key for the user and link it to the user.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33