ubi:2dbarcode Secure Mobile Services for the Examination of the Authenticity, Validity and Integrity of the Printouts of Digitally Signed Publically Issued Certificates and Private Electronic PDF Documents
Once a signed (digitally or not) public certificate or private electronic document (hereinafter called “e-doc”) is issued and delivered to the requestor (that can be a citizen, a public servant or a company executive), the requestor is able to store, print and even edit the received e-doc. Therefore, it is of major importance for a third party (like a judge in a court) to be able to validate (real-time) the originality, the authenticity and the integrity of the printout handed out by the requestor.
For resolving this significant issue, ubi:2dbarcode proposes the adoption of the two-dimensional barcode (2D-barcode) techniques (e.g. the Encrypted QR codes with 56 bits encryption) that are able to store (in an encrypted way) all crucial information of the e-doc, including but not limited to the issuer name and affiliation, the issuing data and place, and a subset of the data appeared on the PDF document (e.g. the personal data of the citizen in case of public certificates from civil status offices or tax authorities). This encrypted 2D barcode can be only decrypted by cross-platform mobile applications – developed in the context of the ubi:2dbarcode deployment and distributed (though a secure bootstrapping protocol) only to authorized third parties (like the public servants of a pre-defined public organization). In this way, only authorized personnel can validate the printouts and have access to any sensitive information encrypted in the 2D barcode of the e-doc.
ubi:2dbarcode constitutes a back-end software infrastructure along with a set of cross-platform mobile applications and electronic validation services that supports the above described process. In particular, each time an e-doc is issued and digitally signed, ubi:2dbarcode software infrastructure generates a unique identification code (that can be either alphanumeric or numeric) based on the digital certificate used to sign a given e-doc. This unique identification code along with the aforementioned subset of data appeared on the e-doc will be encrypted, transformed into QR code and imprinted on the PDF file of the digitally-signed e-doc. In addition to this, an electronic service is deployed to allow the validation of the unique identification code from mobile devices.
As a final step, the ubi:2dbarcode cross-platform mobile application will be securely distributed to allow authorized users to take a photo of the 2D barcode imprinted in the handouts and decrypt them, revealing the e-doc’s unique identification code and the stored personal data. Thus, the user will be able to check whether the data appeared on the document are modified by the citizen (data integrity control) and examine the validity of the signature, invoking through his/her mobile device the aforementioned validation service (originality and authenticity check). Because of the fact that only authorized users should have this mobile application installed on their mobile devices, ubi:2dbarcode incorporates and deploys a secure bootstrapping mechanism that allows the system administrator to create a closed community of authorized users.
Therefore, ubi:2dbarcode ensures both the validity of the signature and the integrity of the data of the e-doc, introducing three (3) levels of data security and protection:
- the data will be encrypted in the 2D barcode and only authorized software will be able to decrypt them;
- the unique identification code is hashed and can be decrypted only by the validation services accessed by the authorized software; and
- the authorized software will be only distributed to authorized users following a totally secure deployment process.
In case, the aforementioned deployment and operations model introduces more complexity that it is required in a given business case/scenario, a lightweight version of ubi:2dbarcode solution can be adopted – based on simple 2D barcodes and not encrypted ones. In this way, third party end-users should not be authorized to access the info on the 2D barcode and to invoke the validation and integrity check services.