Authentication of Identity Documents Using DNSSEC, Digital Signatures and QR Codes
Resumo
This paper describes a system for authenticating identity documents by digitally signing the data and embedding it in a 2D code to be printed with the document. In the proposed scheme, a message is digitally signed using a digital signature block which is stored in a QR Code. The code is later scanned by the user and, after validation, the corresponding digital information can be compared with the printed information. The authenticity of the message is guaranteed using RSA digital signatures and a secure DNS implementation based on DANE and DNSSEC for the certificate distribution. A proof of concept was implemented using the ISC BIND DNS Server and OpenSSL to create and distribute the certificates and a Telegram Bot for signature verification.
Referências
Arends, R., Austein, R., Larson, M., Massey, D., and Rose, S. W. (2005). Dns security introduction and requirements, rfc 4033. Internet Engineering Task Force (IETF).
Bray, T. (2014). The javascript object notation (json) data interchange format.
Chandramouli, R. and Rose, S. (2013). Secure domain name system (dns) deployment guide. NIST Special Publication, 800:81–2.
DMV, N. Y. S. (2013). Sample New York State DMV Photo Documents. https://dmv.ny.gov/id-card/sample-photo-documents. (Accessed on 2017-07-10).
FIPS, P. (2013). 186-4. Digital Signature Standard (DSS).
Garain, U. and Halder, B. (2008). On automatic authenticity verification of printed security documents. In Computer Vision, Graphics & Image Processing, 2008. ICVGIP’08. Sixth Indian Conference on, pages 706–713. IEEE.
IANA (2017). Domain Name System Security (DNSSEC) Algorithm Numbers. https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml. (Accessed on 2017-07-10).
Josefsson, S. (2006a). The base16, base32, and base64 data encodings.
Josefsson, S. (2006b). Storing certificates in the domain name system (dns).
NIST, S. (2015). 800-57 part 3 rev 1, recommendation for key management: Part 3: Application-specific key management guidance.
Osterweil, E., Massey, D., and Zhang, L. (2009). Deploying and monitoring dns security (dnssec). In Computer Security Applications Conference, 2009. ACSAC’09. Annual, pages 429–438. IEEE.
Python Cryptographic Authority (2013). Welcome to pyca/cryptography—Cryptography 2.0.dev1 documentation. https://cryptography.io/en/latest/. (Accessed on 2017-07-10). Soon, T. J. (2008). Qr code. Synthesis Journal, 2008:59–78.
Telegram (2017). Bots: An introduction for developers. https://core.telegram.org/bots. (Accessed on 2017-07-10).
The Tornado Authors (2017). Tornado web server - tornado 4.5.2 documentation. http://www.tornadoweb.org/en/stable/. (Accessed on 2017-07-10).
Thiranant, N., Lee, Y. S., and Lee, H. (2015). Performance comparison between rsa and elliptic curve cryptography-based qr code authentication. In Advanced Information Networking and Applications Workshops (WAINA), 2015 IEEE 29th International Conference on, pages 278–282. IEEE.
Verisign Inc. (2011). DNSSEC Analyzer. https://dnssec-debugger.verisignlabs.com/. (Accessed on 2017-07-10).
Warasart, M. and Kuacharoen, P. (2012). Paper-based document authentication using digital signature and qr code.