Public Key Infrastructure from scratch in 2 months

finance biometry iutecredit pki cryptography

How we enabled IuteCredit customers to sign agreements using their mobile phone’s biometric data

In today’s globalized world, businesses often operate across borders and need to find solutions that work in different legal and regulatory environments. One such challenge is signing contracts that hold up in court. Our customer was using SMS-based signing which in some cases created disputes with customers with claims like “I have never received that SMS”. In most countries, there is no standardized digital signature system like Estonia’s ID-card or Mobile-ID, and creating a unique solution for each country is not economically viable. At the same time, client confidentiality and the validity of the signatures must be ensured.

In this context, we developed a stand-alone service that allows anyone to sign a PDF document using their mobile phone’s biometric data.

PDF and smartphones - available anywhere in the world

To achieve this, we used a PDF container (analogue to Estonia’s DigiDoc container), which stores both the text of the contract and the signature. The PDF standard allows a file to store both the content and signature metadata. This container is then signed using the biometric data of the user, such as fingerprint or face ID, and encrypted with the phone’s cryptology.

One of the advantages of this solution is that it is straightforward and can be implemented in any country where PDF is used, and where people have access to smartphones. Waiting for each country to develop its unique PKI system is impractical and would be very resource-intensive. Additionally, using a readily available cloud-based solution has some drawbacks since the data would be locked-in and controlled by third parties, and users may have to install additional software on their phones.

The Process

We developed this solution as a micro-service, which means it is a standalone application that can sign any PDF document. We knew very well how Estonian cryptography and signatures work, but we initially lacked the knowledge of how to combine PDF and biometric signatures. We knew it to be possible based on the PDF specifications, and we just had to figure out how.

On Android, the process went quite smoothly, but on iOS we had to investigate very deeply to a bite level as it turned out not many had implemented anything similar back then. At best, we could find some samples that provided some clues to the eventual solution, but were not readily usable.

The result is a custom-made solution for our customer where our customer acts as their own Certificate Authority. The system detects users through OTP, creates a key pair, and generates the private key in the phone’s hardware keystores. The public key is transferred to the Iute system, and the user can then sign any PDF document using their private key.

Similar to the Estonian digital signature system

The Iute system is similar to Estonia’s digital signature system, with a private key stored on the ID card or mobile ID chip. However, in our solution, the key is stored in the phone’s built-in chip. As a result, the process of signing a contract is similar to the Estonian system, but the technology is different. Once the PKI setup is complete, the user can sign any PDF document using their private key.

Conclusion

The new IuteCredit service provides a solution that is easy to use and can be implemented globally. The use of biometric data ensures the security of the signature, and the PDF container provides a standardized way to store the contract. As a bonus, IuteCredit got a new biometric login feature for its customers that enhanced user experience.

Last but not least, the solution was delivered with reasonable investment compared to on-the-shelf alternatives like Amazon ACM. The service is managed by IuteCredit own employees in their own infrastructure.