The Electronic ID and the Voting Admission using a Cell Phone

Transcription

1 The Electronic ID and the Voting Admission using a Cell Phone Tetsuji KOBAYASHI *, Jaewook KIM * and Norifumi MACHIDA * * Nippon Institute of Technology Department of Computer and Information Engineering Joho-Building, 4-1-1, Gakuendai, Miyashiro-machi, Saitama-ken, Japan ABSTRACT This paper proposes a personal identification method using a cell phone to improve the function of ID cards and also proposes the application to the electronic voting admission. The method is called as the electronic ID using a cell phone. The personal identification data are stored in the server. Each user receives the data from the server on each cell phone. The cell phone displays the text data (name, affiliation, etc.), face images and a two-dimensional The examiner checks the displayed information by using the examiner s terminal computer. The mechanism uses message authentication and encryption to establish the security among the server, the cell phone and the examiner s terminal. The mechanism of the proposed electronic ID can be applied to the electronic voting admission for improving the current voting admission system in the election of the national or local government. The proposed voting admission can improve the services for voters and decrease the cost for voting admission remarkably. Keywords: cell phone, personal identification, security, two-dimensional symbol, voting admission 1 INTRODUCTION Personal identification is important in various information systems. Plastic cards and smart cards are used as ID (identification) cards. In some countries including Japan, many people have color display cell phones. If a cell phone is used for personal identification, it is possible to show all of the identification information on the color display of the cell phone. Two-dimensional symbols are constructed by means of extending the functions of barcodes [1]. A twodimensional symbol has large recording capacity and error correction capability. There are various kinds of twodimensional symbols. Two-dimensional symbol can be classified as a stack type and a matrix type. The stack type symbol such as PDF417 is constructed by stacking multiple low-height barcodes. The matrix type symbol such as QR code is constructed to store a black or white pattern into a cell that corresponds to a pixel of an image. Although twodimensional symbols are used for a ticket such as an airline company, it has nothing to do with personal identification. By using the two-dimensional symbol for the personal identification system using a cell phone, the identification data can be quickly read from the two-dimensional symbol scanner attached to the examiner s terminal computer. The encryption and authentication techniques can be used for the security of the two-dimensional symbol [2]. The authors proposed a personal identification method using a cell phone for improving the function of ID cards, and the prototype was constructed and the evaluation was reported [3], [4]. There are local governments that use the electronic voting system in Japan [5]. However, the voting admission is out of scope. The mechanism of the proposed personal identification method can be applied to the voting admission for improving the current voting admission in the election of the central or local government. The electronic voting admission proposed in this paper can improve the services for the voters and can remarkably decrease the cost of the voting admission. 2 PERSONAL IDENTIFICATION 2.1 The Concept of the Electronic ID for Personal Identification The fundamental concept of the proposed personal identification method using a cell phone is summarized. (1) The personal identification data are stored in the database of a server (or a computer center). (2) Each user receives the personal identification data from the server on each cell phone. The time when the user receives the personal identification data depends on the application. It is possible for the user to request the personal identification data of the server. It is also possible that the server automatically sends the personal identification data to the cell phone at the appropriate time decided by the application. (3) The cell phone displays the personal identification data that consist of text data (name, address, etc.) and image data (face image, etc.). The examiner checks these data. (4) The cell phone additionally displays the two-dimensional symbol including the personal identification data. The purpose of the two-dimensional symbol is to read the data by the two-dimensional symbol scanner and automatically process the data at the terminal computer of the examiner. (5) The encryption and authentication techniques are used for the security of the two-dimensional symbol in the cell

2 phone. Additionally, the two-dimensional symbol can include the timestamp to limit the time interval for the personal identification data. (6) The personal identification is performed not only when the examiner s terminal can communicate with the server (i.e., on-line identification), but also when the examiner s terminal cannot communicate with the server on account of its failure (i.e., off-line identification). 2.2 Main Problems and Solutions Main problems and solutions to implement the proposed concept are described as follows. Problem-1: The transmission data from the server to the cell phone such as the ordinary compressed face image and the personal text data cannot be encrypted in many cases because most of cell phones do not have encryption and decryption functions for data. The solution for problem-1: The authentication code is generated for the ordinary compressed face image and the personal text data, and it is stored in the two-dimensional The data stored in the two-dimensional symbol are encrypted. The examiner s terminal can read the twodimensional symbol from the scanner and decrypt the data. The personal text data transmitted from the server to the cell phone without encryption are limited to the public basic personal data. The secret detailed personal data with encryption are stored in the two-dimensional Problem-2: When the examiner s terminal is unable to communicate with the server because of failures, it should perform personal authentication by only using the displayed information of the user s cell phone. The solution for problem-2: All of the data for personal identification are stored in the two-dimensional Problem-3: Since the size of the two- dimensional symbol displayed on a cell phone is small because of its display size, the ordinary compressed face image is too large to store in the two-dimension The solution for problem-3: The highly compressed face image with high compression rate is stored in the twodimensional Problem-4: The personal text data can be divided into the public basic text data (name, user ID, affiliation), and the secret detailed text data (name, user ID, affiliation, birth date, telephone number, address, etc.). (Note: The secret detailed text data include the public basic text data.) The solution for problem-4: The text data transmitted to the user's cell phone from the server by without enciphering are the public basic text data. Since the secret detailed text data include privacy information, they are enciphered and stored in the two-dimensional Problem-5: The data from the server to the examiner s terminal consist of the downloaded data from the server and the data obtained from the two-dimensional symbol displayed on the cell phone. These data can be categorized as the duplicated data and the non-duplicated data. It is necessary to certify the correctness and minimize the processing amount and the transmitted data amount. The solution for problem-5: The scheme to use multiple message authentication codes (or digital signatures) is devised. 2.3 Proposed Method for the Electronic ID The proposed electronic ID for personal identification using a cell phone is described in detail in this chapter. Main elements for the proposed method are shown in Fig. 1. (MAC: Message Authentication Code). Public basic personal text data. [Download] [Server] Ordinary compressed face image. MAC-B MAC-A (copy) Examiner s terminal. Two-dimensional symbol scanner. [ or download] Fig. 1: Main elements for the proposed method. 2.4 The Server Two-dimensional Secret detailed personal text data. Highly compressed face image. MAC-A User s cell phone. (1) The examiner produces an ordinary compressed face image and a highly compressed face image by using the face image of the user. Each of compressed face images has each compression rate. The user ID is embedded in the ordinary compressed face image by using digital watermarking to protect it from the intruder of the server. (2) The server obtains the public basic personal text data (name, user ID, and affiliation), the ordinary compressed face image, and the data for the two-dimensional The data for the two-dimensional symbol consist of the following data: the highly compressed face image and the secret detailed personal text data (name, user ID, affiliation,

3 birth date, phone number, address, creation date, expiration date, and other additional data). (3) The server creates MAC-A as the message authentication code (or digital signature) for the data of the twodimensional symbol such as the highly compressed face image and the secret detailed personal text data. (4) The server creates MAC-B as the message authentication code (or digital signature) for the transmission data to the cell phone and the examiner s terminal such as the public basic personal text data (name, user ID, and affiliation), the ordinary compressed face image, and the data for the twodimensional (5) The server encrypts the secret detailed personal text data, the highly compressed face image and MAC-A. The server stores the encrypted data in the two-dimensional (6) The server transmits the ordinary compressed face image, the public basic personal text data and the two-dimensional symbol, to the cell phone. These data are transmitted by from the server (or downloaded by the user from the Web browser of the cell phone). (7) Both of the encryption key and the authentication key are shared between the server and the examiner s terminal. The method to verify the communication among the server, the cell phone and the examiner s terminal is shown in Table 1. Table 1: The method to verify the communication. Items for verification. The method for verification by using multiple message authentication codes. The correctness of the The concordance between the two-dimensional MAC-A in the two-dimensional symbol transmitted to symbol and the MAC generated the cell phone from from the data in the twodimensional the server. The correctness of the downloaded data to the terminal from the server. The correctness between the downloaded data and the displayed data on the cell phone 2.5 The Cell Phone of the User The concordance between the MAC-B in the downloaded data and the MAC generated from the downloaded data. The concordance between the MAC-A in the two-dimensional symbol of the cell phone and the copy of MAC-A that is stored in the downloaded data. (1) The cell phone of the user receives the ordinary compressed face image, the public basic personal text data and the two-dimensional symbol from the server. (2) The user displays and shows the public basic personal text data, the ordinary compressed face image, and the twodimensional symbol on the cell phone according to the guidance of the examiner. 2.6 On-line Identification by the Examiner The on-line identification is the personal identification when the examiner s terminal computer can communicate with the server. The procedure is described as follows. (1) The examiner s terminal downloads the public basic personal text data, the secret detailed personal text data, the ordinary compressed face image, the highly compressed face image, the MAC-B and the copy of MAC-A. These data are protected by the SSL (secure sockets layer) protocol. (2) The examiner s terminal reads the two-dimensional symbol on the cell phone from the two-dimensional symbol scanner. The data in the two-dimensional symbol are decoded and stored in the examiner s terminal. (3) The examiner s terminal verifies the MAC-B by creating the new MAC-B. It also verifies the copy of MAC-A obtained from the server and the MAC-A obtained from the two-dimensional symbol obtained from the cell phone. When they are correct, this procedure continues to the next. (4) The examiner s terminal verifies the MAC-A by creating the new MAC-A from the data in the two-dimensinal (5) The examiner s terminal displays the secret detailed personal text data and the ordinary compressed face image. The examiner checks the correctness of the displayed data and the live face image of the user of the cell phone. 2.7 Off-line Identification by the Examiner The off-line identification is necessary when the examiner s terminal cannot communicate with the server on account of the failure of the server or the communication line. The procedure for the off-line identification is described as follows. The data in the two-dimensional symbol are obtained and decrypted. The MAC-A is verified by using only the data stored in the two-dimensional The secret detailed personal text data and the highly compressed face image are displayed on the examiner s terminal. The examiner checks the data, and checks the face image by looking at the live face. The result is recorded and shall be dually verified when the examiner s terminal is able to access the server. Although the on-line identification uses the ordinary compressed face image, the off-line identification uses the highly compressed face image because the two-dimensional symbol has a capacity limit such as the maximum value is about 2,000 bytes for the current cell phone and the two-dimensional symbol scanner. 2.8 Merits of the Electronic ID The proposed personal identification method using a cell phone has the following merits. As the face image displayed on the cell phone is large enough in comparison with the photograph size of the ordinary plastic ID card, the precision increases when the examiner compares the displayed face image to the live face. As the personal identification data can

4 be directly read from the two-dimensional symbol scanner, the data can be automatically processed by the examiner s terminal. The cost to produce ID cards is decreased because no ID card is used. By using the two-dimensional symbol for the ID system using a cell phone, the forgery becomes difficult and the time for checking the contents of the ID data is reduced. The attacks and counter measures with regard to the proposed electronic ID are shown in Table 2. Table 2: The attacks and counter measures with regard to the proposed electronic ID. Attacks Counter measures against the attacks The attacker may access This attack can be defended the fraudulent Web site when the correct Web site created by the attacker, and attaches the authentication the attacker may display code for the data in the the fake data on the display two-dimensional of the cell phone. The attacker displays the two-dimensional symbol that is illegally obtained from the correct person s cell phone, or copied from the display. The intruder for the server modifies the personal identification data in the database of the server. Since the face image is displayed on the cell phone, the checking person can compare the face image to the live face. It is very difficult to intrude the secure server, to modify the personal identification data, and to generate the twodimensional 3 THE ELECTRONIC VOTING ADMISSION 3.1 Problems of the Voting Admission The proposed identification method can be applied to various applications. This paper proposes a voting admission method for the elections of national or local governments. A set of voting admission tickets for each voter is mailed to each household that consists of one or more voters in the elections of Japan. Each voter goes to each specified voting place with the voting admission ticket, and the voter receives a ballot sheet to cast a vote in exchange for the voting admission ticket at the specified voting place. However, there are following problems in the current voting admission system. [Problem-A]: Since the admission ticket is mailed earlier than the day of election, there are voters who may lose the voting admission ticket. [Problem-B]: Since two or more voting places are printed on the voting admission ticket and one of them is specified for each voter (the purpose is to decrease the printing cost), there is a voter who mistakes the specified voting place. [Problem-C]: Since each staff at the voting place compares manually the name of the admission ticket to the thick list of voters, a voter may sometimes have a long waiting time. [Problem-D]: Since the number of voters is very large, the cost for printing and mailing the voting admission tickets is huge in each election. 3.2 The Electronic Voting Admission We propose the electronic voting admission by using a cell phone that coexists with the current voting admission ticket by postal mail. (1) Overview If a voter wishes to receive an electronic voting admission ticket with the cell phone, the voter registers the address to the election administration committee of the national or local government depending on the kind of election in advance. The server transmits the basic text data for voting (voting kind, voting date, voting place, voter s name), the simple map of the voting place, and the twodimensional symbol that includes the detailed text data for voting (voter s name, address, voting place, and the message authentication code (or digital signature)), to the cell phone of the voter. The voter shows the two-dimensional symbol displayed on the cell phone to the staff at the voting place. The terminal computer reads the two-dimensional symbol displayed on the cell phone from the two-dimensional symbol scanner, and checks the correctness of the voter based on the data obtained from the two-dimensional symbol and the pre-downloaded data from the server. Since the check of the facial photograph of each voter is not performed at the present election, the check of each face image is the optional function. The displayed text data of the voter on the cell phone are minimized such as the voter s name and the voting place, and the detailed voter s text data are encrypted and stored in the two-dimensional The display of the electronic voting admission ticket of the voter s cell phone is shown in Fig. 2. The feature of the electronic voting admission ticket is shown in Table 3. This table compares the basic personal identification method described in section 2 to the electronic voting admission. The basic text data of the voter. The map of the voting place. Two-dimensional symbol including the voter s data. Fig. 2: The electronic voting admission ticket.

5 Table 3: The feature of the electronic admission ticket. Methods The basic personal The electronic identification voting admission. Items method. Off-line Possible. Possible. identification. On-line Possible. identification. Identification by face image. The data included in the to the cell phone. The data stored in the twodimensional The downloading scheme from the server to the terminal. The download data from the server to the terminal of the voting place. Possible. The basic text data for personal identification, and the twodimensional The basic text data for identification, the detailed text data for identification, and the highly compressed face image. Real-time download or pre-download. The basic text data for identification, the detailed text data for identification, and the ordinary compressed face image. Option. The basic text data for the voting admission, the simple map of the voting place, and the two-dimensional The basic text data for the voting admission, the detailed text data for the voting admission, and the data of the voting place. Pre-download. The list of voters for each voting place. Accordingly, the problem-a is resolved by storing the for the electronic admission in the cell phone. The problem-b is resolved by describing only one place in the map of the voting place. The problem-c is resolved by storing the list of voters in the terminal computer, and by checking the correspondence between the data of the voting admission ticket and the list of voters in the terminal computer. The concept of the electronic voting admission is shown in Fig. 3. Server of the election administration committee. The list of voters. The data of the electronic voting admission. [Pre-download] List of voters. [Voting place] Terminal computer. Scanner. [ ] Fig. 3: The concept of the electronic voting admission. (2) The Security The attacks and countermeasures against the voting admission schemes are shown in Table 4. Table 4: Attacks and countermeasures against the voting admission. Methods The electronic voting admission by using a cell phone. Attacks or errors The erratic delivery. The attacker steals the voting admission ticket. The attacker votes more than one time. The attacker gives a true or fake voting admission ticket to the other person. The address should be managed precisely. This case does not occur. This case can be detected at the voting place. The other person can vote when the personal identification at the voting place is incomplete. (The face check is desirable.) The basic data for voting. Simple map. Two-dimensional Voter s cell phone. The present voting admission by postal mail. The erratic delivery may occur because of the mailman s mistake. The attacker may steal the voting admission ticket from the mailbox. This case can be detected at the voting place. The other person can vote when the personal identification at the voting place is incomplete. (The face check is desirable.)

6 (3) Cost In order to investigate the Problem-D, let us discuss about the cost for the voting admission. The comparison of the voting admission tickets is shown in Table 5. Table 5: The comparison of voting admission tickets. Methods Items The electronic voting admission by using the cell phone. The voting admission by postal mail. The server for the voting management. To print the voting admission tickets. To distribute the voting admission tickets. The terminal computer for checking each voter in each voting place. The number of staff to check the voting admission ticket. The voter s payment for the voting admission. The time and transportation expenses for the voter. . Relatively small. A little payment occurs when the voter receives the . Postal mail. Relatively large. According to the election administration committee in the certain large city in Japan,, the expense of the voting admission tickets for the national election of the House of Councilors in July 2004 is as follows. The total printing cost for voting admission tickets is about JPY 4,700,000 (about US$ 47,000, when US$ 1.00 is assumed to be JPY 100 (Japanese yen)). The total mailing cost for voting admission tickets is about JPY 21,500,000 (about US$ 215,000). The number of voters in the day of election is 840,947. (The number of households is 435,795 in the data of November 2004.) Therefore, we obtain the following result. The printing and mailing cost of the current voting admission ticket per voter = (4,700,000+21,500,000) / 840,947 (JPY / voter) (JPY / voter) (US$ / voter). Although the cost depends on each election region, it is appropriate to refer the result because the city is a typical big city in Japan. Let us consider the effect for all over Japan. According to the data of the Ministry of Internal Affairs and Communications, the population of Japan in the year of 2000 is about 126,140,000 and the total number of voters (20 or more years old) is about 100,910,000. Therefore, when all voters use the electronic voting admission tickets, the decreasing cost for one election = 100,910,000 (voters) (JPY / voter) = JPY 3,143,851,050 US$ 31,438,510. As for the electronic voting admission, the printing cost and the postal mail cost are zero. Therefore, the total cost for voting admission becomes remarkably decreases when the number of voters that use the electronic voting admission increases. The increasing cost is discussed as follows. The data consists of the small text data, the small linedrawing map and the two-dimensional When the optional face image is used for authentication, it can be downloaded from the server. Therefore, the amount of data of the electronic voting admission ticket that are transmitted from the server to the cell phone is small. For example, the amount of data of the electronic voting admission transmitted from the server to the cell phone is calculated as follows based on the prototype. The detailed text data of the voting admission such as the voter name, the voter address, the voter s birth date, and the voting place are 61 bytes, the size of the map is 526 bytes and the size of the twodimensional symbol is 550 bytes, the total data amount is 1,137 bytes, and these data needs 8.8 packets. The payment for 8.8 packets is very small although it depends on each cellular phone company, (e.g., about JPY 1.0 (about US$ 0.01) for a cellular company). 4 CONCLUSION An electronic ID system for personal identification using a cell phone has been proposed. The two-dimensional symbol scanner can quickly read the electronic ID data, and the security of the electronic ID data is improved. The mechanism of the proposed personal identification method can be applied to the electronic voting admission for improving the services and decreasing the cost of the present voting admission in the election of national or local governments. REFERENCES [1] [2] B. Schneier, Applied cryptography, Second Edition, John Willey & Sons, Inc., (1996). [3] J. Kim and T. Kobayashi: Personal identification using a cell phone and the security, Proceedings of the 2004 Symposium on Cryptography and Information Security (SCIS2005), pp , IEICE, Japan, (Jan. 2004),. [4] N. Machida, J. Kim, and T. Kobayashi: An Electronic ID System using a Cell Phone and Its Evaluation, Proceedings of the Second IASTED International Conference on Communication, and Computer Networks (CCN2004), USA, IASTED, ACTA press, pp , (Nov. 2004). [5]