DocVal Server

Trustworthily Acquire a Customers Identity by Establishing Secure Communication Between the Trusted Document Validation Server (DocVal Server) and the eMRTD to Verify an ICAO Compliant Chip

The DocVal Server is able to read the data on the chip and to verify the authenticity and integrity of the data.

The Communication between the DocVal Server and the chip is end-to-end encrypted. The data captured from an eMRTD can be easily transmitted as JSON to subsequent applications and processed at the customer’s site.

DocVal Server links data on chip with KYC processes

The DocVal Server is a unique software application that reads, decrypts and validates embedded chip data in ICAO compliant eMRTDs. The software enables the secure and effortless identity verification and KYC programs for multiple use cases to achieve an advanced level of security and authentication.

We provide the DocVal Server as an effortless installable Docker image, that can be easily deployed as a Docker container on-premise in the customer environment. Docker environments can be flexibly scaled and made highly available so that KYC onboarding processes can be carried out securely and with short response times.

In order to meet the increasingly stringent data protection requirements, the DocVal server does not store any personal data and serves as a gateway between the chip on an eMRTD and the customer’s applications and KYC processes.

The DocVal Server is part of the MOBILE CHIP SDK and designed to be easily configured for multiple settings. In combination with the eMRTD Connector and the MRZ Scanner, we offer end-to-end solutions for the secure verification of identities.

The DocVal Server communicates with the eMRTD Connector and fulfills all relevant eMRTD Security Mechanisms

Clone Check

If the NFC Chip supports the Active Authentication Protocol or the Chip Authentication Protocol, the DocVal Server can verify that the chip was not cloned.

Files on eMRTD Chip

Card Access File

File is optional. The Card Access file must be present and contain public key info for the Access Control protocol PACE, if PACE is supported by the chip.

Document Security Object (SOD)

The SOD is a file on the Chip. The SOD is implemented as a SignedData Type. The content is signed by a document signing certificate which in turn is signed by the issuing country of the eMRTD.

The SOD contains a hash value for each Data Group present on the Chip. The Inspection System knows which Data Groups are present on the Chip after reading the SOD.

Mandatory Data Groups

Data Group 1

Contains the MRZ Info (as printed on the data page of the identity document).

Data Group 2

Contains one or more Face Info. At least one Face Info with a photo of the face is mandatory.

Protocols used by DocVal Server to access the eMRTD Chip

Access Control

The Inspection System uses an Access Key to access the Chip. An Access Key can be derived from MRZ (Machine Readable Zone) or from the CAN (Card Access Number). The CAN is optional and may be printed on the document.

For Access Control two protocols exist:

  • Basic Access Control (BAC)
  • Password Authenticated Connection Establishment (PACE)

BAC is deprecated and has been replaced by the newer PACE.

PACE employs asymmetric cryptography to provide higher session entropy keys and therefore a better encryption of the communication between Chip and Inspection System. The file CardAccess with public key info for PACE must be present on the chip.

After Access Control the communication between Inspection System and Chip is secured with a symmetric encryption.

Passive Authentication

With Passive Authentication, the integrity and authenticity of the data (like MRZ info, photo of face) is verified based on a list of trusted country certificates. The Document Validation Server implements the steps as they are described by ICAO in Doc9303.

Active Authentication (AA)

Verifies that the Chip is not cloned. The Active Authentication protocol is optional and may therefore not be supported by all eMRTDs.

Chip Authentication (CA)

Verifies that the Chip is not cloned and establishes new encryption keys (encryption-key, message-authentication-key) for the encrypted communication between Inspection System and Chip. CA has a similar purpose than AA but is the newer protocol that additionally strengthens the encryption for the communication between Inspection System and Chip.

The Chip Authentication protocol is optional and may therefore not be supported by all eMRTDs.

Integrating the DocVal Server into customer environments

Most organizations have set up powerful Docker environments in recent years, into which the DocVal Server Docker image can be easily deployed. Docker environments can be flexibly scaled and made highly available.

Connecting the DocVal Server with backend applications and KYC processes

The DocVal Server reads, decrypts and validates identity data from the integrated chip of ICAO compliant eMRTDs. The data captured from an eMRTD can be easily transmitted as JSON file to subsequent applications and processes.

Experience seamless identity document verification in an instant

Instantly verify passports, ID cards, driver’s licenses and other identity documents to attract more customers.

Smooth identity verification

The OVD Kinegram DocVal Server ensures a secure and seamless customer experience. It’s designed to make identity verification easy, fast, and fraud-proof, regardless of credential.

See how easy identity verification can be

Get more information about
secure identity verification


    First Name *

    Last Name *

    Company *


    E-Mail *

    Phone *

    Message *


    I agree that my data from the contact form will be collected and processed to answer my request. You can find more information in our privacy policy.