INSIKA: Cryptographic Tamper-proofing of Electronic Cash Registers
The tax laws of most countries stipulate that digital records of sales transactions have to be complete and unchangeable. The taxpayers themselves are required to supply a proof for this. Application of the INSIKA concept guarantees the legal and auditable recording of the data. From 2008 to 2012, the Physikalisch-Technische Bundesanstalt (German National Metrology Institute) together with industrial partners developed and tested INSIKA („INtegrierte SIcherheitslösung für messwertverarbeitende KAssensysteme“ meaning “integrated security solution for cash registers processing metered values”) based on a concept of the German fiscal authorities.
The INSIKA method can be used without patents, license costs and similar expenses or restrictions. INSIKA can be integrated easily into cash registers, taximeters and similar systems. It does not impede product improvements which makes it innovation-friendly. It is particularly important that there are no design requirements for systems that are using INSIKA and thus no tedious and expensive certification procedures. However, INSIKA can only be applied reasonably when there is a legal basis, allowing and guaranteeing its acceptance by the fiscal authorities.
The annual report 2003 of the BRH (Bundesrechnungshof, the German Federal Court of Auditors) referred to imminent tax shortfalls due to data manipulation in modern cash registers. In numerous cash registers, the stored data can be changed in any way, without leaving the slightest trace. This urgently calls for remedy. Therefore two working groups of the BMF (Bundesminsterium der Finanzen, Federal Ministry of Finance) developed a concept to protect the data generated by cash registers and taximeters. The PTB and several industrial partners developed the corresponding technical solution within the frame of the INSIKA project. The INSIKA project was significantly promoted by the Federal Ministry of Economics and Technology within the scope of the “MNPQ-Transfer” support program (promotion of SMEs in the implementation of innovations in the fields of metrology, standardization, testing and quality assurance).
The changes in legislation required to introduce the INSIKA system were part of a draft law presented in July 2008. The sections relevant for INSIKA, however, were withdrawn from the draft before the start of the legislative procedure.
The BMF issued a decree “Archiving of digital files for cash transactions” on November 26th, 2010. It withdraws facilitations for the filing of cash register data and requires the recording of individual transactions. It also demands unchangeable filing but without making precise requirements and without defining any technical and legal framework. The demands of the BRH have not been fulfilled by this decree.
Nonetheless the INSIKA was continued as planned. As early as in 2008 working prototypes of the smart cards were available and could be successfully tested in laboratory and field tests. The technology is currently used in two projects for the protection of taximeter data, after the INSIKA concept was adapted to the taxi environment in 2010. The INSIKA project was completed successfully in February 2012. Since then the ADM e.V. (Anwendervereinigung Dezentrale Mess-Systeme, Distributed Measurement Systems Users Association) supports and develops the INSIKA concept, especially the technical procedures that emerged from it.
Due to an initiative by several Bundesländer (federal states in Germany) the legal introduction of INSIKA is back into the political debate since April 2014.
INSIKA in Detail
The system protects registered and saved data in a manner that makes manipulations most certainly identifiable. Even in the case of data losses, the most important totals can be restored. The overall concept and the interface specifications are fully published.
Digital signatures are one essential element of the solution. By means of digital signatures, data can be verified as to source (here: one particular cash register associated with one particular person) and integrity. The technology of digital signatures is well-established, very secure, and is utilized in numerous applications (e.g. in banking and finance or electronic tax declarations). In most application scenarios – and in this particular solution as well – smart cards are used to generate tamper-proof signatures.
INSIKA uses standard smart cards equipped with special software are used to make cash registers tamper-proof. The smart card can be connected to the cash register via an external reader or a reader integrated into the device (as is the case with mobile phones). The cash register’s software has to control the smart card and ensure the printing and storage of data. There is no need for additional modifications to the cash register. In most cases, existing cash registers can be upgraded.
Printed receipts and the corresponding electronic transactions are supplemented with an digital signature. This signature is generated by the smart card. This smart card uses an internal counter, providing a sequence number (a unique and consecutive number) for every transaction. Additionally, the smart card contains totalisers for backing up the total turnover. Thus, essential figures (monthly turnover, negative transactions, etc.) can be restored in case of data loss.
In the smart card the generation of a signature for a printout is coupled with the allocation of a new sequence number and the update of the totalisers. Therefore, the recording of data is guaranteed by the obligation to issue printed receipts with valid signatures.
Basically only such data is recorded which is already subject to storage obligations. The only new aspect is the providing of a cryptographic signature for each completed transaction.
Each data verification is based on the stored and signed transaction data. Any imaginable manipulation of cash register reports or master data is ineffective because the entire data set cannot be modified without being discovered. Even intentionally installed manipulation functions within the cash register cannot compromise the system, making any device certification procedure unnecessary.
Stored data can be verified automatically to a large extent, which is much more efficient than audits based on standard methods. The verification of printed receipts is based on the printout information only. There is no need to use saved transaction data. Hence, every printed receipt can be easily checked to see if it was generated by a cash register with a valid smart card. Any printed receipt without a signature or with a faulty signature clearly proves tampering. Vice versa, taxpayers are able to prove the validity of their cash register’s data. The effort of companies in tax audits is expected to be considerably reduced.
Technical Background of Digital Signatures
Suitable digital signatures for the outlined solution can be generated by asymmetric cryptography. In this case, the Elliptic Curve Digital Signature Algorithm (ECDSA) is used, allowing for a high security level with relatively short key and signature lengths.
A valid digital signature depends on a so-called private key. This key is not accessible, i.e. usually stored on the smart card only. By the use of a so-called public key, the authenticity of a signature can be easily verified. The open access to the public key is no security risk, as the private key cannot be generated from the public one. Therefore, the unauthorised generation of valid signatures is not possible.
So-called certificates assure the correspondence of public and private keys and that the smart card has not been reported as stolen, etc. Certificates are composed of structured data that confirm the owner of the public key. By the use of certificates, the system users are able to match a public key with an identity (e.g. a person, an organisation or an IT system). As a result digital certificates allow for confidentiality, authenticity and integrity of data by assuring that public keys are applied correctly. The administration of certificates is accomplished using a so-called Public Key Infrastructure (PKI).