● Phone provides addition security against malicious acts
● Organizes license information clearly, points on licenses, endorsements, restrictions, organ donor, under 21 before, expiration and etc…
● Faster information updates
● Adaptable and extensible standard
What it does
● The state’s DMV creates a master key and master root certificate.
● The user’s device generates a key, which is then signed by the state’s certificate
● Authority after proving the user’s identity and possession of the physical drivers license.
● The relying party (bar, cop, etc) generates a random string (“none”), which is read by the user’s camera or via NFC, signed by the user’s key/certificate, and uploaded to a server or transmitted via NFC.
● User can scan a QR code with their phone instead of presenting a physical license
- The Driver supplies their drivers license ID and other identifying information to the DMV’s server.
- The DMV responds with challenge questions, and the Driver replies with the answers.
- After successful identity verification, the Driver supplies the DMV with a RSA-4096 bit public key. The private key is always stored on the Driver’s device. It must never be uploaded anywhere; loss of the device should result in the loss of the key.
- The DMV creates and signs a JSON Proof with the Driver’s public key and data from the license, and provides this to the client. The DMV must not sign a JSON Proof with a serial number containing more than 18 hexadecimal characters.
How I built it
● DMV -4096 bit RSA key -Stored in Azure Key Vault -Only generated once; needs to be cycled every ~20 years as it doesn’t expire -Explicitly trusted by Relying Parties -Signs JSON Proofs after validating identity
● Driver -4096 bit RSA key -Supplies the DMV with its public key and identity validation information
● JSON Proof -Signed by the DMV -Contains the Driver’s public key, expiration and license information.
● Relying Party -Has list of all state DMV public keys to be used to verify JSON Proofs.
●Signatures The DMV signs the JSON Proof below with SHA256, which the client presents along with the JSON. The Relying Party must verify this signature.
Challenges I ran into
●Running into problems with Android Studio and Azure
What I learned
●Tons about Cryptography and secure solutions to problems we face today
What's next for Copia
●Improving our proof of concept implementation