AWS Database Blog
Building a secure digital ID using Amazon Managed Blockchain
As more people use mobile devices to access services such as bank accounts and shared vehicles, there has been a surge in digital identity theft and forgery. Most mobile identification systems are prone to fraud due to the absence of a certification authority to verify the identity of the mobile ID card. Even if a person registers with someone else’s ID card, with or without proper self-certification procedures, it is difficult to verify the authenticity of the ID card.
Credit cards and transportation cards have been successfully integrated into mobile devices and are widely used instead of physical plastic cards when purchasing goods or using public transportation systems. However, unlike the other cards, ID cards have been left outside the digital domain.
To address this problem, the three major Korean telecommunication companies (SKT, KT, and LGU+) established a general mobile identification platform and jointly developed an e-Driver’s License Service that allows identity verification without carrying a wallet. The service launched to the Korean public in June 2020 after a year of development and official government approval.
This mobile service is linked to the Driver’s License Verification System of the National Police Agency and the Korea Highway Traffic Authority, who act as certification authorities. South Korean residents can prove their driving qualifications, adult status, and identity through a legitimate verification system by simply showing their QR code at locations such as convenience stores or banks.
This post discusses how these telecommunication companies used Amazon Managed Blockchain to build a universal mobile identity card platform and how this service works.
Personal authentication
The e-Driver’s License Service is provided through an application called PASS, a joint social identification service of the three telecommunication companies that is used by more than half of South Korea’s population, with around 30 million users as of October 2020.
Registering a driver’s license on PASS is very simple. First, a user needs to install the PASS application and log in, followed by an extra authentication step, such as a password or fingerprint. Then, the user registers their driver’s license by choosing Driver’s License and agreeing to the terms and conditions from a simple scan. The information on the physical card is uploaded to the platform using optical character recognition (OCR). To protect their sensitive information, the platform prohibits screen captures. The following screenshots show the user interface for the registration process.
To prevent forgery at the time of registration, users go through a personal authentication process, and only their driver’s license can be registered. If a part of their driver’s license is manipulated or an invalid license is registered, registration becomes impossible. This prevents, for example, a minor using a guardian’s identification, or if an individual attempts to fabricate their date of birth.
Why blockchain?
Blockchain allows for better protection of personal information. To eliminate the threat of personal information leakage, information such as the driver’s license, device information, and phone number are stored in a secure area inside the smartphone, and only the license hash value is stored both in the smartphone and on the blockchain.
The license hash is made up of the phone’s unique ID number, the user’s phone number, and the user’s driver’s license information. If one of them changes, the license hash value changes. During verification, their driving qualifications and identity is verified by comparing the license hash value stored in the phone and the hash value stored in the blockchain, without fear of leaking personal information. The following diagram illustrates the data storage system.
Additionally, data stored in the blockchain isn’t dependent on a specific mobile carrier, but is stored on a decentralized distributed network, ensuring high capabilities and data transparency.
In the e-Driver’s License Service, the peer nodes of the three telecommunication companies act as each other’s demand resource role. As the nodes share the data, each application can provide services to customers without interruption and can quickly synchronize when a failure occurs using other company’s node.
Finally, blockchain allows for business expansion and scalability. Because the three telecommunication companies share the same distributed ledger, server interconnection with the certification authority can easily be connected through a single interface and can evolve into variety of business models, including cross-company identification and payments.
Why Managed Blockchain?
Managed Blockchain provides a fully-managed service that makes it easy to create and manage blockchain networks. To configure an open-source Hyperledger Fabric network, the telecommunications companies would have to spend significant time setting up the ordering service, setting up certificate authorities, creating membership service providers, and configuring organizations and channels. It would take weeks of trial and error just to get the environment set up correctly. With Managed Blockchain, you don’t need to worry about the underlying Hyperledger infrastructure. You can start working on your chaincode and blockchain applications in minutes. In addition to these benefits, Managed Blockchain provides APIs to add and remove members and provides out-of-the-box integrations with AWS services such as Amazon CloudWatch and AWS CloudFormation.
Building the e-Driver’s License Service using Blockchain
The following participants and service components make up the e-Driver’s License Service:
- Service provider – Three Korean telecommunication companies (SKT, KT, and LGU+) provide services through the PASS application.
- Certification authority – The National Police Agency, which has the information of the status of the license, and the Korea Highway Traffic Authority, which has the information on the validity of the license, check the authenticity of the ID card.
- Verifier – Police, shared car companies, convenience stores, banks, card companies, and more can verify a user’s driving qualifications, adult status, and identity using the service. As of July 2020, the service is used in all driving license test centers and convenience stores, and will further expand to use cases such as traffic police inspections, car rentals, and shared mobility transactions.
- AWS – The web server of the telecommunication company registers and queries the license hash on Managed Blockchain through the Fabric client and communicates with the certification authority server through the interface server. Service monitoring and statistical verification can be done through the admin server, managed by both the Fabric Explorer server and the service providers.
The following diagram illustrates these components.
Registration flow
Because the mobile driver’s license contains sensitive personal information, the relevant data is encrypted and stored in the user’s mobile device instead of on the telecommunication company’s server. To prevent ID card forgery and theft, the platform enforces a “one person, one telecommunication company, one mobile” (1:1:1) policy. Therefore, it’s impossible for one person to concurrently obtain more than one mobile driver’s license from more than one mobile carrier.
The following diagram illustrates this registration flow.
The workflow contains the following steps:
- The driver’s license holder logs in to the app and runs the driver’s license verification service.
- License registration is requested.
- The application queries the registration status with the PASS user ID and checks if a driver’s license is already registered in the system.
- If not already registered, the application prompts the holder to take a picture of their license and uploads the information into the system using OCR.
- The application checks the authenticity of the license with the certification authority. If OCR information is altered during the registration process, authentication fails.
- The license hash required for verification of the authenticated license is stored on the blockchain to be validated in the future when further verification is needed. If the device or phone number changes, the license hash changes and is created in a new blockchain, and the previous information is no longer referenced.
- Sensitive data is encrypted and stored in a secure area of the user’s mobile device.
Verification flow
The following diagram illustrates the verification flow for the license.
The workflow contains the following steps:
- The driver’s license holder logs in to the app and runs the driver’s license verification service.
- The application queries the license information to check the status of the services.
- The application checks if it is following the “one person, one mobile, one telecommunication company” (1:1:1) policy, and checks if the license is valid.
- If there are any modifications in the verification values, such as the license, the mobile phone, or the telecommunication company, a new verification process through the certification authority takes place.
- When the preparation process for verification is finished, the license holder can present the QR code or barcode to the verifier.
- The verifier scans the generated code.
- The license is verified using the hash value and public key value of the license value shared in blockchain.
- The verifier can verify the driving qualifications of the end-user.
Service architecture
The following diagram illustrates the architecture of the service.
The entire communication between the three telecommunication companies, the certification authority, and AWS is connected using AWS Direct Connect, and the data is encrypted and transmitted using HTTPS and TLS protocols.
There are two communication flows through the PASS application server:
- The first flow connects to the Korea Highway Traffic Authority (KoROAD) server, using the interface server, to determine the validity of the ID card.
- The other flow connects to Managed Blockchain, using a Fabric client, to store the hash value of the license and query the distributed ledger between the three telecommunication companies.
Conclusion
In this post, we explained how to build an e-Driver’s License Service, discussed why blockchain was needed in this process, and highlighted the benefits of using Managed Blockchain.
With this service, users can experience a convenient, truly wallet-less lifestyle with only a smartphone. Additionally, service providers can better protect personal information and provide a simple real-time mobile authentication service backed by the security of blockchain technology.
This was an unprecedented collaboration between several major telecommunication companies in Korea, and there will be many future projects and new opportunities derived from this service.
Get started building with Amazon Managed Blockchain. Contact the Amazon Managed Blockchain team.
About the author
Seunghan Lee is a Blockchain Developer and Strategist at LGU+ who is building new businesses based on blockchain.
Hye Young Park is a Solutions Architect at AWS. She has experience in search engine, messaging, and big data at Yahoo, Samsung, and SKT.
Cheongu Park is a Solutions Architect at AWS. He has experience in finance, education, and digital media at NHN Entertainment, and was a founder of an IoT startup.