digital driver’s license - american association of motor ... 3 nist grant ddl pilot the program...
TRANSCRIPT
Introduction
NIST Grant DDL Pilot3
The Program NSTIC State Pilots Cooperative Agreement Program
The Purpose To pilot online identity solutions that embrace and advance the TIG vision of an Identity EcosystemTo promote government and commercial adoption of privacy-enhancing, secure, interoperable, and easy-to-use digital identity solutions
The DriverNIST’s Trusted Identities GroupConvened more than 170 organizations to work together in advancing trusted digital identity solutions
The DDL ProjectManage, Issue and Consume digital version of DL on user smart mobile devices for 4 jurisdictions
Pilot Participants
NIST Grant DDL Pilot4
Gemalto is partnering with four jurisdictions to implement an interoperable pilot program, adheringto the NIST guiding principles regarding privacy and security in trusted identities.
Project Phases
NIST Grant DDL Pilot5
2016
2018
2017
Phase 1 – Establishing the FoundationEnrollment & Issuance of DDLDDL ManagementIdentity & Proof of Age Verifications
Phase 2 – E-ServicesAuthenticationAttribute Sharing
Role of NIST
NIST Grant DDL Pilot6
Project Guidance
Solution Guidance
Architecture & Design Guidance
Standards & Compliances
Exploring Digital Driver’s License
NIST Grant DDL Pilot8
Your identity
Your driving privileges
Your trusted attributes
And more!!!
Digital Driver’s License
NIST Grant DDL Pilot9
Not just an image
on the phone!
Establish Trust
Convey Driving
Privileges
Confirm Identity
Visual
Representation
Functional
Requirements
NIST Grant DDL Pilot13
Offline Operation Traditional
DL Usage
No backend
tracking
Functional
Requirements
Verification Flow
NIST Grant DDL Pilot14
Establish Communication
Transfer Credentials
Digital Authentication
Display Results
DDL App Verifier Apps
User should trigger the verification processDirect Data transfer over encrypted channel Selective Attribute Sharing
DDL for eTransactions (Phase 2)
NIST Grant DDL Pilot16
DDL PlatformIdentity & Attribute
Provider
Car Rentals MNOs
KYC
DMV ServicesBanks
Gov Services
Attribute Sharing Authentication
DDL Credential
NIST Grant DDL Pilot18
DDL AccountCreated during enrollment process
Card Image TemplatesImages on the phone that represents the DL displayed on the phone
Logical Data Structure (LDS)Structured representation of DL attributes and security objects
Data Groups (DG)SOD
Data Groups (Containing ID & DL Attributes)
Hash of each DG + Digital Signature
LDS (Logical Data Structure)
NIST Grant DDL Pilot19
Data Group Contents
DG1
(Name and DL Entitlements)
Issuing State
Name (Family, Given)
DL Number
Date of Birth
Date of Issuance
Date of Expiry
Vehicle Classifications
Endorsements
Restrictions
DG2
(Address and Biometric Data)
Address (Street, City, State, PC)
Sex
Height
Weight
Hair Color
DG5 Signature
DG6 Photo
DG11
(Custom)Barcode Data
DG12
(Custom) Flags(Organ,Veteran,Under21…)
DG13
(Active Authentication Info)AA Public Key
SOD
DG1 Hash
DG2 Hash
DG11 Hash
DG5 Hash
DG6 Hash
DG11 Hash
DG12 Hash
DG13 hash
DS Certificate +
Public Key
Signature
Establishing Trust
NIST Grant DDL Pilot20
State 1 DS/CA State 2 DS/CA State 3 DS/CA
The private keys for the CAs are stored in highly secure environment responsible for issuance of the credentials
Public keys are distributed to verification systems
Signature Generation
NIST Grant DDL Pilot21
SOD
DG1 Hash
DG2 Hash
DG11 Hash
DG5 Hash
DG6 Hash
DG11 Hash
DG12 Hash
DG13 hash
DS Certificate +
Public Key
Signature
State 3 DS/CA
Sign
KprDS
Passive Authentication
NIST Grant DDL Pilot22
1. Read SOD2. Validate the DS certificate using the DDL CA
certificate3. Verify the SOD signature4. Read relevant Data Group(s)5. Compute Hash6. Compare with the corresponding DG hash in
SOD
Data
GroupContents
DG1
Document
Type
Issuing State
Name
DL Identifier
Date of Birth
Date of
Issuance
Date of Expiry
DG1 Hash
Process
Check data authenticity & integrity of the DDL
Purpose
2. Validate
DS Cert
4. Read DG
5. Compute
Hash
3. Verify
Signature
1. Read
SOD
6. Compare
=
The PKI Infrastructure
NIST Grant DDL Pilot24
State 1 DS/CA State 2 DS/CA State 3 DS/CA
The PKI Infrastructure – Standards & Policies
NIST Grant DDL Pilot25
Credential Storage – LDS/Data Minimization
Data Group Contents
DG1
(Name and DL
Entitlements)
Issuing State
Name (Family, Given)
DL Number
Date of Birth
Vehicle Classifications
Endorsements
Restrictions
DG2
(Address and Biometric
Data)
Address (Street, City, State, PC)
Sex
Height
Weight
DG5 Signature
DG6 Photo
DG11
(Custom)
Barcode Data
Flags(Organ,Veteran,Under21…)
DG12
(Custom)POA data (photo and age indicator)
DG13
(Active Authentication
Info)
AA Public Key
Data Group Contents
DG1
Document Type
Issuing State
Name
Date of Birth
Date of Issuance
Date of Expiry
DG2 Photo
DG11
Address (Street, City, State, PC)
Sex
Height
Weight
Hair Color
Signature
DG12
Vehicle Classifications
Endorsements
Restrictions
Document Discriminator
Flags(Organ,Veteran,Under21…)
State Specific Data
DG13 POA Data
DG15 AA Public Key
Communication
NIST Grant DDL Pilot26
Law Enforcement
Proof of AgeAttribute Sharing
Authentication
+21RP +21
RP
Summary
NIST Grant DDL Pilot28
DDL is not a replacement for the regular DL
DDL is not just an image or an app on the phone – Digital Authentication is the key
Standardization a must for interoperability