Technical Framework & NIST Pilot Project Overview

Digital Driver’s License

Introduction

Introduction

NIST Grant DDL Pilot3

The Program NSTIC State Pilots Cooperative Agreement Program

The Purpose To pilot online identity solutions that embrace and advance the TIG vision of an Identity EcosystemTo promote government and commercial adoption of privacy-enhancing, secure, interoperable, and easy-to-use digital identity solutions

The DriverNIST’s Trusted Identities GroupConvened more than 170 organizations to work together in advancing trusted digital identity solutions

The DDL ProjectManage, Issue and Consume digital version of DL on user smart mobile devices for 4 jurisdictions

Pilot Participants

NIST Grant DDL Pilot4

Gemalto is partnering with four jurisdictions to implement an interoperable pilot program, adheringto the NIST guiding principles regarding privacy and security in trusted identities.

Project Phases

NIST Grant DDL Pilot5

2016

2018

2017

Phase 1 – Establishing the FoundationEnrollment & Issuance of DDLDDL ManagementIdentity & Proof of Age Verifications

Phase 2 – E-ServicesAuthenticationAttribute Sharing

Role of NIST

NIST Grant DDL Pilot6

Project Guidance

Solution Guidance

Architecture & Design Guidance

Standards & Compliances

What is DDL?

NIST Grant DDL Pilot7

Exploring Digital Driver’s License

NIST Grant DDL Pilot8

Your identity

Your driving privileges

Your trusted attributes

And more!!!

Digital Driver’s License

NIST Grant DDL Pilot9

Not just an image

on the phone!

Establish Trust

Convey Driving

Privileges

Confirm Identity

Visual

Representation

Functional

Requirements

Digital Driver’s License

NIST Grant DDL Pilot10

Technology Provider

Credential Provider

DDL Usage

NIST Grant DDL Pilot11

DDL Usage – Phase 1

NIST Grant DDL Pilot12

Law Enforcement, TSA

Identity Verification Proof of Age

NIST Grant DDL Pilot13

Offline Operation Traditional

DL Usage

No backend

tracking

Functional

Requirements

Verification Flow

NIST Grant DDL Pilot14

Establish Communication

Transfer Credentials

Digital Authentication

Display Results

DDL App Verifier Apps

User should trigger the verification processDirect Data transfer over encrypted channel Selective Attribute Sharing

Traditional vs New Usages

NIST Grant DDL Pilot15

Functional

Requirements

eServices

DDL for eTransactions (Phase 2)

NIST Grant DDL Pilot16

DDL PlatformIdentity & Attribute

Provider

Car Rentals MNOs

KYC

DMV ServicesBanks

Gov Services

Attribute Sharing Authentication

Establishing Trust

NIST Grant DDL Pilot17

DDL Credential

NIST Grant DDL Pilot18

DDL AccountCreated during enrollment process

Card Image TemplatesImages on the phone that represents the DL displayed on the phone

Logical Data Structure (LDS)Structured representation of DL attributes and security objects

Data Groups (DG)SOD

Data Groups (Containing ID & DL Attributes)

Hash of each DG + Digital Signature

LDS (Logical Data Structure)

NIST Grant DDL Pilot19

Data Group Contents

DG1

(Name and DL Entitlements)

Issuing State

Name (Family, Given)

DL Number

Date of Birth

Date of Issuance

Date of Expiry

Vehicle Classifications

Endorsements

Restrictions

DG2

(Address and Biometric Data)

Address (Street, City, State, PC)

Sex

Height

Weight

Hair Color

DG5 Signature

DG6 Photo

DG11

(Custom)Barcode Data

DG12

(Custom) Flags(Organ,Veteran,Under21…)

DG13

(Active Authentication Info)AA Public Key

SOD

DG1 Hash

DG2 Hash

DG11 Hash

DG5 Hash

DG6 Hash

DG11 Hash

DG12 Hash

DG13 hash

DS Certificate +

Public Key

Signature

Establishing Trust

NIST Grant DDL Pilot20

State 1 DS/CA State 2 DS/CA State 3 DS/CA

The private keys for the CAs are stored in highly secure environment responsible for issuance of the credentials

Public keys are distributed to verification systems

Signature Generation

NIST Grant DDL Pilot21

SOD

DG1 Hash

DG2 Hash

DG11 Hash

DG5 Hash

DG6 Hash

DG11 Hash

DG12 Hash

DG13 hash

DS Certificate +

Public Key

Signature

State 3 DS/CA

Sign

KprDS

Passive Authentication

NIST Grant DDL Pilot22

1. Read SOD2. Validate the DS certificate using the DDL CA

certificate3. Verify the SOD signature4. Read relevant Data Group(s)5. Compute Hash6. Compare with the corresponding DG hash in

SOD

Data

GroupContents

DG1

Document

Type

Issuing State

Name

DL Identifier

Date of Birth

Date of

Issuance

Date of Expiry

DG1 Hash

Process

Check data authenticity & integrity of the DDL

Purpose

2. Validate

DS Cert

4. Read DG

5. Compute

Hash

3. Verify

Signature

1. Read

SOD

6. Compare

=

Standardization

NIST Grant DDL Pilot23

The PKI Infrastructure

NIST Grant DDL Pilot24

State 1 DS/CA State 2 DS/CA State 3 DS/CA

The PKI Infrastructure – Standards & Policies

NIST Grant DDL Pilot25

Credential Storage – LDS/Data Minimization

Data Group Contents

DG1

(Name and DL

Entitlements)

Issuing State

Name (Family, Given)

DL Number

Date of Birth

Vehicle Classifications

Endorsements

Restrictions

DG2

(Address and Biometric

Data)

Address (Street, City, State, PC)

Sex

Height

Weight

DG5 Signature

DG6 Photo

DG11

(Custom)

Barcode Data

Flags(Organ,Veteran,Under21…)

DG12

(Custom)POA data (photo and age indicator)

DG13

(Active Authentication

Info)

AA Public Key

Data Group Contents

DG1

Document Type

Issuing State

Name

Date of Birth

Date of Issuance

Date of Expiry

DG2 Photo

DG11

Address (Street, City, State, PC)

Sex

Height

Weight

Hair Color

Signature

DG12

Vehicle Classifications

Endorsements

Restrictions

Document Discriminator

Flags(Organ,Veteran,Under21…)

State Specific Data

DG13 POA Data

DG15 AA Public Key

Communication

NIST Grant DDL Pilot26

Law Enforcement

Proof of AgeAttribute Sharing

Authentication

+21RP +21

RP

Summary

NIST Grant DDL Pilot27

Summary

NIST Grant DDL Pilot28

DDL is not a replacement for the regular DL

DDL is not just an image or an app on the phone – Digital Authentication is the key

Standardization a must for interoperability

Thank You

NIST Grant DDL Pilot29