RU2701088C1 - Method and system for trusted paperless presentation of documents - Google Patents

Abstract

FIELD: computer engineering.

SUBSTANCE: invention relates to computer engineering. Disclosed is a system for providing access to a digital copy of a user document, comprising at least one processor, coupled by a bus with a registration and authentication module, which is configured to register new users of the system and subsequent authentication thereof; biometric authentication and identification module, which is configured to obtain biometric user data and subsequent analysis thereof for authentication purposes for performing operations with documents; module for adding documents, which is intended for addition of user documents to digital copies of images; a document storage module which is designed to store and manage added digital copies of user documents; a document presentation module which is designed to provide added said digital copies of document images to a recipient and to set access policies for providing said digital copies of documents to a recipient which establishes a list of available digital copies of documents for transmitting to a document request module, wherein the digital copies of documents are provided by forming a data packet containing at least a hyperlink to at least one digital copy of the user document contained in the document storage module; electronic signature of documents module, which is intended for signing of digital copies of images of documents with a personal enhanced qualified electronic signature (EQES) and verification of electronic signature validity for each digital copy of document at request of document request module; a document request module which is designed to receive at least one signed digital copy of a user document image stored in a document storage module from a presentation module.

EFFECT: providing access to digital copies of user documents with ensuring confirmation of their invariance and authenticity.

17 cl, 9 dwg

Description

FIELD OF TECHNOLOGY

[0001] The present solution relates, in general, to the field of digital information processing, and in particular, to a method and system for trusted paperless presentation of documents.

BACKGROUND

[0002] As an analogue of the claimed solution, we can consider the electronic document management system of India - DigiLocker (https://digilocker.gov.in). This software product allows you to use digital copies of state documents of citizens, for example, a passport, driver’s license, upon presentation to authorized persons, organizations, and other applications in which the original document is replaced with its digital copy, accessible via the Internet computer network.

[0003] The DigiLocker solution is based on a digital platform that allows you to store digital copies of documents in a user profile that is associated with a unique identifier, in particular, with an Indian citizen's state number (Aadhaaar ID). At the same time, the main drawback of this solution is the lack of additional means of certifying the authenticity and immutability of documents, digital copies of which can be associated with the user profile, in particular, the use of biometric authentication of the document bearer and the use of electronic signatures of copies of documents. Also, the known solution is limited in functionality upon request and providing a copy of the document, because it only allows you to create a link to the cloud storage containing a copy of the document, which can be transferred to the corresponding device via a hyperlink.

SUMMARY OF THE INVENTION

[0004] The technical problem or technical problem to be solved is to provide a platform for trusted presentation of digital copies of user documents with confirmation of their immutability and authenticity.

[0005] The technical result achieved in solving the above problem is to provide access to digital copies of user documents, with confirmation of their immutability and authenticity.

[0006] Also, an additional effect of the application of the claimed solution is to increase the security of the process of presenting documents by the user through the use of biometric identification of the document bearer and the use of cryptographic protection for copies of documents stored in a cloud platform.

[0007] The claimed solution is implemented using a system for trusted paperless presentation of documents containing at least one processor associated with

- module registration and authentication, which is configured to register new users of the system and their subsequent authentication;

- a module for biometric authentication and identification, which is configured to receive biometric user data and their subsequent analysis for authentication purposes to perform operations with documents;

- a module for adding documents, which is designed to add digital copies of user documents to the system;

- a document storage module, which is designed to store and manage added digital copies of user documents;

- a document presentation module, which is designed to provide added digital copies of documents to the recipient and configure access policies for providing the said documents to the recipient;

- a module for electronic signature of a document, which is designed to sign added digital copies of documents with personal enhanced qualified electronic signature (UKEP);

- a document request module, which is designed to receive at least one signed copy of a user's digital document stored in the document storage module, from the document presentation module.

[0008] In one of the private options for implementing the system, user registration is carried out using at least one identifier selected from the group: SNILS, phone number, email address, passport number / series, TIN, medical policy number, unique identifier (UID) .

[0009] In another particular embodiment of the system, after the user is first registered, they are first authenticated by sending a message for subsequent confirmation to the user's device using cellular and / or Internet connection.

[0010] In another particular embodiment of the system, the message contains a confirmation code or a hyperlink to an authentication resource.

[0011] In another particular embodiment of the system, the authentication module further assigns a preferred authentication method for each registered user.

[0012] In another particular embodiment of the system, the document storage module is a cloud storage.

[0013] In another particular embodiment of the biometric authentication and identification system, at least one biometric user sample is selected from the group: fingerprint, face image, voice recording, retinal image, iris image, palm vein pattern, hand geometry .

[0014] In another particular embodiment of the system, the document adding module generates digital copies of documents based on documents loaded by users into the system and / or by requesting copies of documents from the relevant document issuing authorities.

[0015] In another particular embodiment of the system, the document presentation module generates a QR code containing a link to at least one user document contained in the storage module.

[0016] In another particular embodiment of the system, the electronic document signing module further verifies the validity of the electronic signature (ES) for each copy of the document.

[0017] In another particular embodiment of the system, a copy of the document may comprise a group signature.

[0018] In another private embodiment of the system, the signing of copies of UKEP documents is carried out using a cloud platform.

[0019] The claimed solution is also implemented using the method of providing a certified digital copy of a user’s document, during the implementation of which:

- create a user profile in the cloud-based system of trusted document management (OSDD) that contains at least the UID of the user and his biometric sample containing at least an image of the user's face;

- add at least one digital copy of a user document to said system;

- carry out the signing of the mentioned copy of the document in the OSDD using UKEP user;

- establish access policies for each copy of the added document in the SSC;

- Link the added digital copies of documents with the corresponding user profile;

- using the user's device, an information package is formed containing an electronic link to at least one copy of the document and the user ID associated with his profile in the OSDD;

- transmit said package to the recipient device;

- on the recipient’s device, a copy of the document is extracted from the received link, and the user’s ES is checked;

- receive using the recipient device a biometric sample of the user containing the image of the face of the user;

- transmit the received biometric sample of the user and the received UID of the user in the OSDD using the recipient’s device and compare them with the data associated with the user profile;

- if the data is successfully compared with the user profile, the recipient’s device processes documents in accordance with the established access policy.

[0020] In one of the private embodiments of the method for a copy of the document contains an additional electronic signature.

[0021] In another particular embodiment of the method, the OSDD provides access to a copy of the document in the event of verification of an additional electronic signature.

[0022] In another particular embodiment of the method, the information packet is a QR code.

[0023] In another particular embodiment of the method, the user's biometric sample further includes at least one of: a fingerprint, an image of the retina, an image of the iris, an image of the veins of the palm, an image of the geometry of the brush, or a voice sample.

[0024] The claimed solution is also implemented using the method of providing a certified digital copy of a user’s document, the implementation of which:

- create a user profile in the cloud-based system of trusted document management (OSDD) that contains at least the UID of the user, the first biometric sample, which is an image of the user's face, and the second additional biometric sample;

- add at least one digital copy of a user document to said system;

- carry out the signing of the mentioned copy of the document in the OSDD using UKEP user;

- establish access policies for each copy of the added document in the OSDD;

- Link the added digital copies of documents with the corresponding user profile;

- form, using the recipient’s device, a first request for a copy of the user’s document, the request comprising obtaining an image of the user's face and an additional biometric sample corresponding to the second biometric sample stored in the user profile in the OSDD;

- send the said request to the OSDD;

- using the OSDD, they verify the received request with the user profile and transmit the user UID to the recipient device;

- form using the recipient device a second request containing the UID of the user to obtain a digital copy of the document;

- using the recipient’s device, they obtain access to at least one copy of the user document with the corresponding access policy.

[0025] In a particular embodiment of the method, an additional biometric user sample includes at least one of: a fingerprint, an image of the retina, an image of the iris, an image of the veins of the palm, an image of the geometry of the brush, or a voice sample.

BRIEF DESCRIPTION OF THE DRAWINGS

[0026] The features and advantages of this technical solution will become apparent from the following detailed description and the accompanying drawings, in which:

[0027] FIG. 1 illustrates the architecture of a trusted workflow system.

[0028] FIG. 2 illustrates an example of user interaction with a workflow system.

[0029] FIG. 3 illustrates an example of an interaction scheme for providing a digital copy of a document using a user device.

[0030] FIG. 4 - FIG. 5 illustrates the process of providing a digital copy of a document using a user device.

[0031] FIG. 6 illustrates an example interaction diagram when requesting a digital copy of a document using a recipient device.

[0032] FIG. 7 - FIG. 8 illustrates the process of requesting a digital copy of a document using a recipient device.

[0033] FIG. 9 illustrates an example computing device. DETAILED DESCRIPTION OF THE INVENTION

[0034] The claimed solution allows you to store and use digital copies of user documents using the cloud-based system of trusted electronic document management (OSDD) for further submission to the necessary authorities and / or officials. Such documents, in particular, may include: passport, driver’s license, insurance policy, medical policy, SNILS, vehicle certificate, technical equipment passport, etc.

[0035] In FIG. 1 shows the general structure of the OSDD (100). The user (20), using the authentication and registration module (101), creates his profile in the system (100). User (20) provides data for registration in the system, for example, a unique citizen identifier, which can be a single citizen identifier (EIG), full name, date of birth, identification document, mobile phone number, biometric samples, SNILS number, email address, passport number / series, TIN, medical policy number, etc.

[0036] Module (101) is designed to register a new system user and then authenticate the user. Basic authentication is necessary in order to be able to use the functions of the biometric authentication and identification module (102), the document presentation module (104), and the document storage module (105). Module (101) sends the documents provided for registration by user (20) for verification in external systems, for example, module (101) can interact with the “single register of unique identifiers of citizens of the Russian Federation” to verify the correctness of the entered identifier, with the registry of correspondence of mobile phone numbers and a unique user identifier, with a system for sending SMS messages, with an internal database of the system, etc.

[0037] The user (20) also provides biometric samples for subsequent authentication upon presentation of digital copies of documents. A mandatory requirement is to provide an image of the user's face (20), which will be the main criterion for its authentication. In addition, biometric samples such as: fingerprint, voice recording, retinal image, iris image, palm vein pattern, hand geometry, etc., can be associated with a user profile (20).

[0038] The registration of a new user is as follows. System (100) asks user (20) for a unique identifier, an example of which was indicated above. In the case of using SNILS as a unique user identifier (20), the system (100) additionally requests the user's mobile phone number (20). In the case of using a unique user ID, the system (100) can additionally request the user's mobile phone number (20) or automatically download the user's mobile phone number, if this number (SIM card) is associated with a unique user ID in an accessible adjacent system;

[0039] If several mobile numbers are detected, the system (100) suggests selecting one specific one that will be linked in the system (100) to the user profile. Having received a unique identifier and / or a user's mobile phone number (an email address can be additionally used), the system (100), using the module (101), sends an SMS message with a confirmation code to the specified mobile phone number, which must be entered by the user (20) in system (100). Having received the correct confirmation code, the system (100) registers a new user (20), adding an entry of the form “unique user identifier and / or user’s mobile phone number” to its own database, which stores information about user profiles (20). Also, the user profile may contain other additional information, for example, one or more email addresses, identifying information, biometric data, etc.

[0040] The system (100) allows the user (20) to select options for subsequent authentication, for example, using biometric input (fingerprint scanner, retina scanner / iris, etc.) using a mobile device (smartphone, tablet) PIN authentication, two-factor authentication using a login / password combination and code confirmation from an SMS message or application for generating one-time access codes, etc.

[0041] In the case of using the two-factor authentication method, the system (100) uses the unique user identifier obtained earlier and the secret phrase, which is proposed to invent and remember the user at this stage, as a login. Additionally, a biometric sample of the user's voice with the pronunciation of the secret phrase can be used. After that, the system (100) adds salt to the hash of the passphrase and generates a new hash from the received string, which it adds to the user record (20) in its own database.

[0042] Authentication of the registered user (20) in the system (100) is as follows. When a registered user (20) logs into the system (100), he is invited to use one of the authentication methods: by fingerprint, PIN, login + password and confirmation code from SMS messages or another type of authentication selected by the user during registration . In the case of using authentication using a combination of login + password and confirmation code from an SMS message, the user enters a secret phrase, coined earlier and his UID. System (100) with the help of module (101) compares the entered data with those stored in its own database, and in case of complete coincidence sends to the mobile phone number of the user (20), which receives SMS from the user record in its own database message with confirmation code. Next, the user (20) enters a confirmation code from the SMS message, and if the data matches, authentication is considered successful.

[0043] After successful authentication, the system (100) gives the user (20) the rights to use the functions of the following modules: biometric authentication and identification (102), presentation of the document (104), storage of the document (105).

[0044] The biometric authentication and registration module (102) is designed to further authenticate the user (20) and provide the user (20) based on this authentication with specialized rights. Also, the module (102) is designed to identify the user (20) in the process of presenting a digital copy of the document using the system (100).

[0045] The input to module (102) are: user input and contextual information obtained from adjacent systems. Module (102) interacts with a biometric authentication center (108) to implement biometric verification algorithms, with an internal database of the system, with a document request module (107) for collecting a biometric sample, an electronic document signing module (106), and a document adding module (103) .

[0046] For successful authentication, the user (20) must register once in the biometric authentication center (108). The center of biometric authentication (108) can be a separate special body that allows all users (20) to provide biometric samples in person and produces an identity card of the applicant (20). In this case, a correspondence is created between the biometric samples of the user and the information identifying him, in particular, the passport number or a unique user identifier, mobile phone number, name, date of birth, and any other information that allows simplifying user identification (20).

[0047] The center of biometric authentication (108) can also be any adjacent system that provides an open interface for biometric authentication and identification, having a user profile (20) containing identifying information and complying with the legislation of the Russian Federation.

[0048] The biometric authentication module (102) checks the rights of the user (20) in the system (100). Such rights may be, for example, an ordinary user, the recipient of a copy of a document (the application can receive and verify documents), the publisher (can add a document to the user's repository that issues it, for example, an insurance policy can be automatically added by the insurance company as a publisher in the user's repository), trusted user (the biometric registration functionality of new users is available). At the same time, recipients generally gain access to the document request module (107) and additionally they are assigned a role according to which they can request documents (for example, the role is DPS, can only request a driver’s license, STS, PTS and OSAGO policy; Federal Tax Service - copies of TIN, passports, etc.).

[0049] Authentication of the registered user (20) using the module (102) is as follows. The system (100) asks the user (20) to provide a biometric sample - the image of the face that the user (20) receives using the camera of a mobile device, or records a video transmitted to the system (100). System (100) receives an image from a user device or selects a frame from a received video.

[0050] The system (100) receives, from the registration and authentication module (101), contextual information about the user (20) who is currently authenticated in the application, in particular, a unique identifier and mobile phone number. The received information is sent to the adjacent biometric authentication center (108), where the obtained biometric sample of the user (20) is verified with the sample stored in the center (108). To facilitate the search, an additional search can be performed by the user ID and mobile number. If the biometric samples, the user ID of the user (20) and the mobile phone number are correct, the system (100) sends an SMS message with a confirmation code to the mobile phone number, which must be entered by the user (20) in the system (100). If the confirmation code is successfully entered, user (20) is considered authenticated.

[0051] During the first biometric authentication, the system (100) receives user context data from the adjacent biometric authentication center (108): full name, date of birth, and other information that makes it possible to simplify user identification (20) in the future. This information is stored in the system (100) and cannot be changed by the user (20).

[0052] Upon successful authentication, the system (100) receives the user role from the center (108) and, on its basis, provides the user (20) with access to the functionality of the system (100). Biometric identification is available to users (20) with the rights of the “recipient” and is necessary for identification of the person presenting the document.

[0053] The identification is as follows. The recipient of a digital copy of the document takes a photo of the user (20) using his own mobile device. The system (100) sends the photo to the biometric authentication center (108), where the photo is analyzed for similarity with the user's image (20). Upon completion of the search, the system (100) provides a report on the degree of similarity of the user's image (20) with the data stored in the center (108) for registered users (20).

[0054] In some cases, in addition to photography, the system (100) can send some contextual data to the biometric authentication center (108) to speed up the search for correspondence, for example, various types of metadata. Such data can be previously transmitted by the user to the recipient using the technology of encoding information into a QR code or NFC. If the required threshold of “similarity” is exceeded, user (20) is considered identified, and the recipient can compare the documents presented by the user with registered trusted users.

[0055] The system (100), together with the result, receives from the biometric authentication center (108) the following information about the bearer: UID, certificate of electronic signature. In the future, this information is used to download and verify a user document (20). The system (100) also receives data on the role of the recipient. In the future, this information is used to verify the rights of the recipient to the requested one or more user documents (20).

[0056] The document adding module (103) is designed to add digital copies of user documents (20) to the system (100) that are stored in the system (100). There are several options for adding a document: self-adding a document by the user (20), a request to create a document, or a request to issue a document. Self-adding a document to the repository can be either trusted or not. The trusted addition of a digital copy of the document implies the ability to present the document to the recipient by analogy with a regular paper document. Documents added independently undergo a classification procedure for automatically adding to the correct cell in the storage of the document storage module (105).

[0057] Any trusted addition of a document is possible only after biometric authentication of the user (20). Each trusted digital copy of the document is signed by the user UKEP (20).

[0058] Self-adding a copy of the document by the user is as follows. User (20) performs biometric authentication through module (102). Next, user (20) uploads to the system (100) a photo or a scan copy of the document that he wants to add, while user (20) independently indicates the type of document, for example, passport, insurance policy, etc. System (100) checks the file for the presence of a user's personal digital signature. If the document contains a user's personal digital signature, then its characteristics are verified with a user certificate, which is preloaded from the biometric authentication center (108). If the certificates match, then a check is made for the presence of additional signatures in the file. If the certificates do not match, then the system (100) refuses the user to add the document.

[0059] If additional EDS are detected, system (100) divides them into the following categories: someone else's personal EDS, system EDS, trusted Publisher EDS. In case of detection of someone else's personal digital signature, the system (100) checks the type of the added document using an automatic document classifier. If the document type does not coincide with the previously specified, then the system (100) refuses to add the document. If the type of document is the same as previously specified, then the system (100) checks the necessity and possibility of having several personal digital signatures for this document using the internal directory. If the document implies a group EDS, then a check is made for the presence of additional signatures in the file. If the document does not imply a group EDS, then the system (100) refuses to add the document.

[0060] In the event that a trusted Publisher EDS is detected, system (100) verifies the authenticity of the EDS. If the result is negative, system (100) refuses to add the document. If the test result is positive, system (100) checks for the presence of a system EDS. If a system EDS is present, the document is added to the storage module (105) associated with the user profile (20). If there is no system EDS, then the system (100) clarifies with the user (20) about the need to add someone else's personal EDS to a copy of the document. If the answer is yes, then system (100) automatically classifies the document and compares the possibility and necessity of several personal digital signatures on the document using the internal directory.

[0061] If the document implies a group signature, then the system (100) provides the user (20) the opportunity to provide access to the document to other users. After the document is signed by all interested users, the system (100) automatically puts down a system EDS, which changes the technical characteristics of the document to “not editable” and adds the document to the repository associated with the user profile.

[0062] If a trusted EDS of the Publisher is found without a personal EDS, the system (100) refuses to add the document. If a system EDS is detected without a personal EDS, the system (100) also refuses to add a document. If there is no EDS on the document, system (100) prompts the user to add a personal EDS. In the case of a positive response from the user (20), the system (100) transmits the document to the external system of the cloud EDS (module 106), where the personal EDS of the user (20) is put down. Next, the system (100) clarifies with the user (20) about the need to add other people's personal digital signatures to a copy of the document.

[0063] If the answer is yes, then the system (100) automatically classifies the document and compares the possibility and necessity of several personal digital signatures on the document using the internal directory. If the document implies a group signature, then the system (100) provides the user (20) with the possibility of providing access by another user, otherwise the system (100) does not allow this.

[0064] After the document is signed by all interested users, the system (100) automatically puts down a system digital signature that changes the technical characteristics of the document to “not editable” and adds the document to the user's repository associated with its profile. If the answer about personal EDS is negative, then system (100) adds the document to the user's repository, but this document is not recognized as trusted.

[0065] The document storage module (105) is designed to store and manage the added digital copies of user documents (20). Module (105) provides functionality for manipulating these documents, in particular, deleting, renaming, creating cells for storing classified documents, etc. Module (105) may be cloud storage.

[0066] Adding a copy of a document using a document creation request is as follows. The user (20) performs biometric authentication by providing his biometric sample.

[0067] The user (20) selects the document whose digital copy is to be created. System (100) generates the necessary package of documents from previously added by the user and a request to create a digital copy of the document. System (100) transmits a request to create a document, a package of necessary documents, a user ID and other user data depending on the requested document to the publisher. After successful transmission of the request, the system (100) “reserves” in the storage module (105) a cell for a specific type of copy of the document, the production of which the user requests (20).

[0068] In the absence of the necessary documents in the user's repository, the system suggests adding the necessary documents. On the publisher's side, the received request can be processed in a way that is most convenient for the publisher: manual processing of the request, automatic processing of the request. Automatic processing is carried out using the publisher’s own software, which interacts with the system (100) using the software interface provided by the system (100). Manual processing is carried out in accordance with the internal regulations of the operator.

[0069] Adding a document to the user repository is done by specifying the user ID. Upon receipt of the created document and a unique identifier, the system checks for the presence of a “reserved” cell in the storage module (105) for the specified identifier. If this cell exists, the document is added to the user's repository for its profile. In the absence of access to the repository, the user refuses.

[0070] Adding a document using a request to issue a document is as follows. User (20) performs biometric authentication. Depending on the partners connected to the system (100) (departments, commercial organizations, etc., each partner has a unique connection), the user requests the release of a digital version of a document that the user already has on paper.

[0071] The system (100) generates a request that contains the UID and user data, and sends this request to its own module ("agent"), which is integrated into the partner environment. After generating the request, the system (100) “reserves” a cell in the storage module (105) for a specific type of document for the selected user (20).

[0072] The agent converts the received request into a format for automatically requesting information on the availability of the issued document for the user (20) and sends it to the partner’s own database. If a user document (20) is found in the partner’s database, for example, a passport office or the Federal Tax Service, the agent generates a pdf file (or another type of file), into which it adds information about the document from the partner’s database.

[0073] After generating the pdf file, the agent accesses the partner’s EDS system and signs the pdf file of the partner’s EDS, which adds the trust property to the file. The agent returns the signed pdf-file to the system (100) using the user's UID and the presence of a “reserved” cell in the module (105) for its profile. System (100) prompts the user (20) to sign a personal digital signature document. If the answer is no, the document is canceled. If the answer is yes, the system (100) sends the document to the electronic signature module of the document (106), where the user's personal digital signature is added to the document (20), thus the non-repudiation property is assigned to the document.

[0074] After receiving a user's personal digital signature, the system (100) adds its own digital signature to the pdf file and prohibits making changes to the specified file with a copy of the document. After receiving all the EDS, the system (100) adds the document to the reserved cell of the storage module (105) for the user profile (20).

[0075] The electronic document signing module (106) is designed to sign digital copies of documents added to the system (100) with a personal enhanced qualified electronic digital signature (UKEP). This module (106) can be performed in the form of an adjacent service that performs the signing of documents of a cloud digital signature. Integration is carried out after biometric user registration (20). There are two types of possible integration: integration with an existing cloud-based digital signature account, creating a new account in the cloud-based digital signature service. As part of the integration, the module transfers to the cloud EDS system copies of documents (files) for signing a user's personal digital signature.

[0076] The document presentation module (104) is designed to provide added digital copies of documents to the recipient and configure access policies for providing the said documents to the recipient. Module (104) provides remote and personal presentation of pre-added copies of documents to the recipient.

[0077] The document request module (107) is designed to receive a copy of a user’s digital document (20) stored in the document storage module (105), upon request of the document presentation module (104).

[0078] System (100) is a software and hardware solution, for example, a cloud platform based on one or more servers. The main process of software data processing for the implementation of the system (100) is performed by one or more processors (computing module). These modules of system (100) are associated with one or more processors for the implementation of the necessary information processing operations to implement their functionality. The specialist should also be obvious that various solutions can be applied in the field of parallel processing of information flows while performing the necessary algorithmic calculations when operating a computer device (or several devices).

[0079] In FIG. Figure 2 shows an example of user interaction (20) with OSDD (100). As indicated above, the user (20) transmits data (201) for registration in the OSDD (100). The user (20) provides the image of his face as the main biometric sample (202) to the biometric authentication center (108). After the user (20) is registered in the OSDD (100), a profile (250) is created for him, which will be used for the trusted exchange of digital copies of documents. In profile (250), user (20) sets the access policy for each copy of a digital document. An access policy also means ensuring the access of the relevant person / body to digital copies of documents, which is due to the list of documents that such a person or body can use in terms of identification and / or permission of the user (20).

[0080] As shown in FIG. 3, the provision of digital copies of user documents (20) can be carried out remotely to the device of the recipient of documents (22) using the user's electronic device (21). The term "remotely" refers to the transfer of digital copies of documents through information packets using data channels, for example, TCP / IP, GSM / 3G / 4G, Wi-Fi, radio (Bluetooth, BLE, NFC), etc.

[0081] Referring to FIG. 4, a method for remotely providing documents (300) is as follows.

[0082] The user (20) generates a personal profile (250) in the OSDD (100) using the registration process described above (step 301). Next, one or several copies of documents are loaded into the profile (250) (step 302), at least one of which will be presented to the recipient's device (22). The added copies of documents in the user profile (250) are signed by the user’s signature (UCEP) (step 303) to fulfill the requirements for their authenticity and non-repudiation.

[0083] For each signed copy of the document in the profile (250), an appropriate access policy is established to ensure that the authorized (trusted) recipient device (22) is provided for processing this copy (step 304). Next, the user (20) using his device (21), for example, a smartphone or tablet, selects one or more copies of documents from his profile (250) for transfer to the recipient's device (22). An information package is formed from the selected documents for transmission to the device (22) to the data channel (step 305).

[0084] FIG. 5 shows a process for processing (400) an information packet received from a user device (21) using a recipient device (22).

[0085] An information package may be represented as a hyperlink to a digital copy of a document with additional information, for example, user ID (20) in the OSDD (100), additional metadata associated with the user profile (250). The package can be encrypted in a QR code or another form suitable for transmission via a radio channel (Bluetooth, NFC, etc.). The hyperlink in the data packet leads to the corresponding copy of the document associated with the user profile (250). After receiving the information packet by the recipient device (22), its subsequent processing is performed (step 401).

[0086] At step (402), the user clicks on the link received in the information packet from the user's device (21). The recipient device (22) fulfills the request for a copy of the document according to the received hyperlink in the OSDD (100). Next, the recipient device (22) checks for the presence of an electronic copy of the requested document (step 403). Checking the electronic signature is performed using a request to the electronic document module (106) in the OSDD (100). If all ESs are valid, then the user’s identity is identified (20) using the recipient’s device (22).

[0087] The identification of a user (20) presenting copies of documents by means of an information package is performed by obtaining a biometric sample of the user, in particular, the image of his face at the time of verification (step 404). Obtaining a face image can be carried out using a camera built into the recipient’s device (22), or obtained using a photo and video recording tool connected to the device (22) (for example, surveillance cameras, WEB cameras, PTZ cameras, etc.).

[0088] After receiving the face image of the user (20), the recipient device (22) generates an information packet containing a photo image of the user (20) and the UID received from the transmitted information packet from the device (21) (step 405). The packet generated by the device (22) is transmitted to the OSDD (100) to verify the biometric sample of the user (202) and the associated MIA.

[0089] The received data at step (406) by the OSDD (100) is checked by sending a corresponding request to the biometric authentication center (108), which analyzes the similarity of the received user's image with the information stored in his profile (250). The analysis can be performed using various photogrammetric and / or analytical algorithms. Additionally, the biometric authentication center (108) can send the user's ES certificate (20), which is compared with the certificate received with the document earlier when it was uploaded to the user profile (250).

[0090] In the case of successful verification of the identity of the user (20) at step (407), the recipient device receives a hyperlinked copy of the document from the user device (21), associates the presented copy with the appropriate user (20), and further uses the copy of the document according to internal regulations.

[0091] As an example, the user (20) added the STS, PTS, MTPL and a driver’s license to the system. And he allowed the recipient (22) to download automatically only the driver’s license. A traffic police officer with the role of an inspector can only upload documents of the type: driver’s license, STS, CTP when performing user biometric authentication (20), for example, using an office smartphone or tablet (22).

[0092] In the event of a bearer identification error of a copy of a document (step 408), the OSDD (100) transmits a corresponding message to the recipient's device (22), which refuses to use the received copy of the document.

[0093] As indicated in the description above, a copy of a user’s document (20) may contain an additional electronic signature, for example, of a publisher’s authority. In this case, confirmation of the authenticity and non-repudiation of the copy of the bearer’s document is subject to verification of all electronic copies of the document.

[0094] FIG. 6 shows an embodiment of the claimed solution, in which the request for a copy of the document by the recipient device (22) is performed without using the user's electronic device (21). In this case, in addition to the main biometric sample - images of the user's face (20), one or more additional samples are used that allow identification of the bearer of digital copies of documents.

[0095] In FIG. 7 shows the sequence of steps of the method for performing the specified procedure for using copies of documents (500). At the first stage (501), the user (20) performs the registration process in the OSDD (100) by providing a biometric sample - an image of a person identifying his information and an additional biometric sample for further formation of the user profile (250) in the OSDD (100). As an additional biometric sample, it can be used, but not limited to: fingerprint, image of the retina, image of the iris, image of the veins of the palm, image of the geometry of the brush, voice sample, etc.

[0096] After the registration process, the user (20) uploads one or more copies of documents to the profile (250) (step 502) and signs them with personal UKEP (step 503). For each digital document signed by the UECC, an appropriate access policy is established (step 504).

[0097] In FIG. 8 shows a process (600) for requesting and receiving copies of user documents (20) using a recipient device (22) without generating an information packet by a user device (21).

[0098] If it is necessary to use a digital copy of the document, according to method (600), the recipient device (22) captures the image of the user's face (20), for example, using the built-in camera or photo and video recording means associated with the device (22) (step 601). The user also provides a second, additional biometric sample that is associated with his profile (250) in the SDDD (100) (step 602). An additional biometric sample is obtained using the means installed or associated with the recipient's device (22).

[0099] After receiving two biometric samples, the device (22) generates an initial request (step 603) and sends it to the DRC (100) (step 604) to identify the user (20) (step 605). In case of successful comparison of biometric samples (step 606) with one of the registered profiles (250) in the OSDD (100), the latter returns to the recipient device (22) the UID of the corresponding user (20), the user's EP certificate (step 607). Additionally, information about the degree of similarity of the user's main biometric sample may also be provided (202).

[0100] Next, the recipient device (22) generates a second request for access to one or more copies of user profile documents (250) (step 608). The second request contains the previously received UID of the user, which provides access to documents based on the recipient's access policy (22) to one or more copies of documents.

[0101] If at least one copy of the document is available for the recipient (22), then the OSDD (100) provides access to them in the user profile (250). A copy of the document (step 609) can be downloaded to the recipient's device (22). Next, the presence of appropriate electronic copies of the document and their validity are checked. The comparison of the user EP certificate received from the OSDD (100) is carried out, with which the document is signed when it is loaded into the OSDD (100), and the certificate of the downloaded document from the second request. If the certificate verification is successful, the recipient (22) accepts a copy of the document as a trusted authentic document of a proper bearer (20).

[0102] If at step (606) the user (20) is not identified in the OSDD (100) (step 610), then the OSDD (100) notifies the recipient device (22), and the user (20) is refused to provide digital copies of documents .

[0103] As indicated above, a copy of a document may also contain several electronic signature, for example, the electronic signature of a publisher or other trusted authority. In this case, a successful verification of the authenticity of a copy of a document will only be possible if all electronic signature of such a document is successfully verified.

[0104] In FIG. 9 shows an example of a computing device (700) that is used to implement the claimed solution. The device (700) can be selected from a wide range of known devices providing the necessary functionality, for example, a computer, laptop, server, tablet, smartphone, portable game console, mainframe, supercomputer, etc. As mentioned above, the user device (21) , the recipient device (22), the OSDD (100), can be partially organized on the basis of or represent one example of the device (700).

[0105] In general, a computing device (700) comprises one or more processors (701) connected by a common bus, memory means such as RAM (702) and ROM (703), input / output interfaces (704), input devices / output (705), and a device for network interaction (706).

[0106] A processor (701) (or multiple processors, a multi-core processor) can be selected from a variety of currently widely used devices, for example, Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™ and etc.

[0107] RAM (702) is a random access memory and is intended to store machine-readable instructions executed by the processor (701) for performing the necessary operations on logical data processing. RAM (702), as a rule, contains executable instructions of the operating system and corresponding software components (applications, program modules, etc.).

[0108] the ROM (703) is one or more permanent storage devices, for example, a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media ( CD-R / RW, DVD-R / RW, BlueRay Disc, MD), etc.

[0109] Various types of I / O interfaces (704) are used to organize the operation of the components of the device (700) and organize the operation of external connected devices. The choice of appropriate interfaces depends on the particular computing device, which can be, but not limited to: PCI, AGP, PS / 2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

[0110] Various means (705) of I / O information, for example, a keyboard, a display (monitor), a touch screen, a touch pad, a joystick, a mouse, a light pen, a stylus, are used to provide user interaction with a computing device (700), touch panel, trackball, speakers, microphone, augmented reality, optical sensors, tablet, light indicators, projector, camera, biometric identification tools (retina scanner, fingerprint scanner, voice recognition module), etc.

[0111] The network interaction tool (706) provides data transmission by the device (700) via an internal or external computer network, for example, an Intranet, the Internet, a LAN, etc. As one or more means (706) may be used, but not limited to : Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communications module, NFC module, Bluetooth and / or BLE module, Wi-Fi module, etc. Additionally, satellite navigation tools can be used, for example, GPS, GLONASS , BeiDou, Galileo.

[0112] The application materials presented disclose preferred examples of the implementation of the technical solution and should not be construed as limiting other, particular examples of its implementation, not going beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field of technology.

Claims (45)

1. A system for providing access to a digital copy of a user document, comprising at least one processor coupled via a bus to

registration and authentication module, which is configured to register new users of the system and their subsequent authentication;

a biometric authentication and identification module, which is configured to receive biometric user data and their subsequent analysis for authentication purposes for performing operations with documents;

a document adding module, which is intended for adding digital copies of images of user documents to the system;

document storage module, which is designed to store and manage added digital copies of user documents;

a document presentation module, which is intended to provide the aforementioned digital copies of the images of documents to the recipient and configure access policies for the provision of the said digital copies of the documents to the recipient, which establishes a list of available digital copies of the documents for transmission to the document request module, and the digital copies of the documents are provided by generating a data packet containing at least a hyperlink to at least one digital copy of the document by zovatelya contained in the document storage unit;

electronic document signing module, which is designed to sign added digital copies of document images with a personal enhanced qualified electronic signature (UKEP) and verify the validity of the electronic signature for each digital copy of a document at the request of the document request module;

a document request module, which is designed to receive at least one signed digital copy of a user document image stored in the document storage module from the document presentation module. 2. The system according to claim 1, characterized in that users are registered using at least one identifier selected from the group: SNILS, phone number, email address, passport number / series, TIN, medical policy number, unique identifier ( UID). 3. The system according to claim 2, characterized in that after the initial registration of the user, his primary authentication is performed by sending a message for subsequent confirmation to the user's device using cellular and / or Internet connection. 4. The system according to claim 3, characterized in that the message contains a confirmation code or a hyperlink to the authentication resource. 5. The system according to claim 1, characterized in that the authentication module additionally assigns a preferred authentication method for each registered user. 6. The system according to claim 1, characterized in that the document storage module is a cloud storage. 7. The system according to claim 1, characterized in that the biometric authentication module is configured to receive at least one biometric sample of a user selected from the group: fingerprint, face image, voice recording, image of the retina, image of the iris, vein pattern palms, geometry of the hand. 8. The system according to claim 1, characterized in that the document adding module generates digital copies of documents based on documents uploaded by users to the system and / or by requesting copies of documents from relevant authorities - document publishers. 9. The system under item 1, characterized in that the copy of the document may contain a group of electronic signature. 10. The system according to claim 1, characterized in that the signing of copies of UKEP documents is carried out using a cloud platform. 11. A method for providing access to a digital copy of user documents, comprising the steps of:

create a user profile in the cloud-based system of trusted document management (OSDD) that contains at least the UID of the user and his biometric sample containing at least an image of the user's face;

add at least one digital copy of the image of the user document to said system;

signing the aforementioned digital copy of the image of the document in the OSDD using UKEP user;

establish access policies for each digital copy of the added document in the OSDD, and the access policy establishes a list of available digital copies of documents for transmission to the recipient device;

Link the added digital copies of documents with the corresponding user profile;

using the user's device, an information package is generated containing an electronic link to at least one digital copy of the image of the document and the user ID associated with his profile in the OSDD;

transmitting said information packet to the recipient device;

on the recipient’s device, a digital copy of the image of the document is extracted from the received electronic link, and the user UKEP is checked;

receive using the recipient device a biometric sample of the user containing the image of the face of the user;

transmit using the recipient device the obtained biometric sample of the user and the received UID of the user in the OSDD and compare them with the data associated with the user profile;

in case of successful comparison of data with the user profile, the recipient device processes in accordance with the established access policy the received at least one copy of the digital image of the document by the mentioned electronic link. 12. The method according to p. 11, characterized in that the copy of the document contains an additional electronic signature. 13. The method according to p. 12, characterized in that the OSDD provides access to a copy of the document in case of checking an additional electronic signature. 14. The method according to p. 11, characterized in that the information package is a QR code. 15. The method according to p. 11, characterized in that the biometric sample of the user further includes at least one of: a fingerprint, an image of the retina, an image of the iris, an image of the veins of the palm, an image of the geometry of the brush, or a voice sample. 16. A method of providing access to a digital copy of user documents, comprising the steps of:

create a user profile in the cloud-based system of trusted document management (OSDD) that contains at least the UID of the user, the first biometric sample, which is an image of the user's face, and the second additional biometric sample;

add at least one digital copy of the image of the user document to said system;

signing the aforementioned digital copy of the image of the document in the OSDD using UKEP user;

establish access policies for each said digital copy of the image of the added document in the OSDD, the access policy establishing a list of available digital copies of documents for transmission to the recipient device;

associate the added digital copies of document images with the corresponding user profile;

form, using the recipient’s device, a first request for a digital copy of the image of the user’s document, the request comprising receiving an image of the user's face and an additional biometric sample corresponding to the second biometric sample stored in the user profile in the OSDD;

forward said request to the OSDD;

using the OSDD, they verify the received request with the user profile and transmit the user UID to the recipient device;

form using the recipient device a second request containing the user ID, to obtain a digital copy of the image of the user document;

they are checked using the device of the recipient UKEP of the user and, if successful, they get access to at least one digital copy of the image of the user’s document in accordance with the specified access policy. 17. The method according to p. 16, characterized in that the additional biometric sample of the user includes at least one of: a fingerprint, image of the retina, the image of the iris, image of the veins of the palm, image of the geometry of the brush or voice sample.

Images