Академический Документы
Профессиональный Документы
Культура Документы
Tutorial
Catherine J. Tilton
VP, Standards & Emerging Technologies, Daon
Chair, BioAPI Consortium
US HOD to ISO/IEC JTC1 SC37
11955 Freedom Drive, Suite 16000
Reston, VA 20190
703-984-4080
(fax) 703-984-4099
cathy.tilton@daon.com
1
Agenda
• Introduction
• Standards activities
• Data/interchange standards
• API standards
• Security standards
• Smartcard standards
• Other standards
• Adoption & Conformance
path to:
on the
Step
Flexibility Optimization
Standard Proprietary
- Lowers complexity of the - Product optimization
Advantages
13
Standards acceleration
NIST Workshop:
• Industry rejects the notion of a standard
fingerprint minutiae template
• CBEFF project initiated to standardize
“package” instead
Published
18 20
Final draft
5 9
Draft*
13 19
New
projects/proposals 2 2
As of Oct07 *Includes amendments but not revisions
International
National
Informal
BioAPI
Consortium
ILO
TC 68
Banking, ISO/IEC JTC 1
Securities and Information Technology OASIS
Other Financial BioAPI
Services Consortium
VoiceXML
SC 17 Forum
SC 27 SC 37
Cards & IT Security
Personal Biometrics Open Group
Identification Techniques
US National ANSI
INCITS M1
represents the
X9 U.S. in JTC 1
NIST/ITL INCITS SC 37
(US TAG ISO TC 68)
(ANSI/NIST ITL-1-
2007)
X9F B10
Identification CS1 M1
Data &
Information Cards & Related Cyber Security Biometrics
Security Devices
29 October 2007 Biometric Summit
© Daon 19
Standards Terminology/Process (ISO)
TC – Technical Committee (industry)
• SC – Subcommittee (segment)
» WG – Working Group (project)
http://www.incits.org/tc_home/m1.htm
M1.2 Technical Interfaces
Groups
Ad Hoc
Groups AHGBISGF AHGEMS AHGSQ AHGBEA
P-Members O-Members
• Austria • Indonesia
• Australia • Netherlands
• Denmark • Poland
• Canada • New Zealand
• Hungary • Switzerland
• China • Norway
• Czech Rep. • Portugal
• Finland • Russia
• France • Singapore 15 Liaisons
• Germany • South Africa
• Ireland • Spain
• Israel • Sweden
17 25/6
• Italy • Ukraine
• Japan • UK
• Korea, Rep. • US
• Malaysia
DL/ID BioAPI
AAMVA
AAMVA B10
B10 X9.84 BC
BC v1.1
CBEFF
JTC1
JTC1 TC68
TC68 X9.84 M1
M1
SC17
SC17 SC2
SC2 Revision
BIAS
US TAG
JTC1
JTC1 Liaison JTC1
JTC1 OASIS
OASIS
SC27
SC27 Agreements SC37
SC37
ITU-T
ITU-T
Source: J. Stapleton, Innove
29 October 2007 Biometric Summit
© Daon 27
Data/Interchange Standards
28
Common Biometric Exchange Formats Framework
(CBEFF)
• Features
o Facilitates biometric data interchange between different
systems or components
o Promotes interoperability of biometric-based applications
o Provides forward compatibility for technology improvements
o Simplifies the software and hardware integration process
Jan 2001
NISTIR 6529
Apr 2004
NISTIR 6529-A
Feb 2005
ANSI INCITS 398-2005
May 2006
ISO/IEC 19785-1
Standard
Biometric • Defines Basic Fields used by Biometric Data
– Useful Biometric Processing Info
Header
– Biometric Data
– Security
• Doesn’t constrain the encoding of data
• Registration of biometric data via IBIA
• Allows for new adaptations
• CBEFF compliance can be met by “Patrons and
Clients” model
Security
Block
Places
Data Into
Client’s
Data
Company Format Standard Format Future Format
A’s Owner Body B’s Owner Biometric Owner
Biometric & Biometric & Package &
Data (BDB) Format Type Data (BDB) Format Type (BDB) Format Type
• NIST: 0x000F
– Allows for
multiple data Standard Bio Header Type=Finger
types/objects
within a single
data structure Standard Bio Header Data
Signature
9.0%
8.0%
7.0%
6.0%
FNMR at 0.1% FMR
5.0%
Proprietary
PR Native
4.0% PR Interop
RR Native
RR Interop
3.0%
2.0%
1.0%
0.0%
ARCS1 ARCS2 Sagem Motorola Cogent
Database
• Goals
– Vendor independence
– Extensibility
– Small dataset size
• Proposed interchange format
– Hand silhouette (not image)
– Compressed x,y data
• Content
– Data conventions
• Bit/byte ordering, compression
– Acquisition requirements
• Orientation, aspect ratio, presentation
– Data format
• Record header, silhouette data, extended data
– Best practices
• Supports full hand or <5 fingers
Now Capture
Enroll Process
(Standard
Formats) Match
Capture Match
Process
Capture Process
Match
29 October 2007 Biometric Summit
© Daon 66
Other Fingerprint Standards
• Data Format for the Interchange of Fingerprint, Facial, & Other
Biometric Information (ANSI/NIST-ITL 1-2007)
– Image: 500 dpi, 8-bit grayscale
– Template: minutiae location (X, Y, theta)
• FBI WSQ standard for fingerprint image compression/decompression
(nominal 15:1)
– IAFIS-IC-0010(V3)
• FBI Electronic Fingerprint Transmission Specification (EFTS), Ver 7.1
– IAFIS-DOC-01078-7 0
– http://www.biometrics.org/REPORTS/FBIfp.html 8.
t
BTS raf
– http://www.fbi.gov/hq/cjisd/iafis/efts71/cover.htm E d
I n
• FBI Appendix F & G (of EFTS)
– Fingerprint image quality specification (IQS)
– Originally written for scanning of inked prints on paper
– Specifies linearity, S/N, modulation, etc.
• AAMVA DL/ID 2000
– Drafted as B10.8, but not published
– Includes finger imaging, minutiae record, facial photo, signature, and compression
29 October 2007 Biometric Summit
© Daon 67
NIST ITL1-2007 Record Types
Logical Record ID Logical Record Contents Type of Data
1 Transaction Information ASCII
2 Descriptive Text (user defined) ASCII
3 Fingerprint Image Record (Low Res Grayscale) binary
4 Fingerprint Image Record (High Res Grayscale) binary
5 Fingerprint Image Record (Low Res Binary) binary
6 Fingerprint Image Record (High Res Binary) binary
www.niem.gov
EFTS
DOC 9303
ICAO SELECTED
1
Face Image as the global biometric
ENSURE GLOBAL INTEROPERABILITY
OF IDENTITY CONFIRMATION
ICAO SELECTED
2 Contactless ICC, ISO 14443, >=32K
EXPAND DATA STORAGE
CAPACITY BEYOND OCR-B
ICAO DEVELOPED
3
Logical Data Structure (LDS)
ENSURE GLOBAL INTEROPERABILITY
OF DATA INTERPRETATION
ICAO DEVELOPED
4
Scheme based on PKI principles
PROTECT DATA RECORDED
IN ELECTRONIC DATA TECHNOLOGY
80
API Standards
• Application Program Interface
– Defined way for a software application to communicate (request
services and receive responses) with a technology/service module
– Example: Microsoft Crypto API (CAPI)
– Usually composed of a set of function calls with data/control
parameters and defined data structures
– Generally provided with any SDK
• Biometric APIs
– An API standard defines a common method of interfacing to a particular
technology
– A biometric API standard defines a generic way of interfacing to a
broad range of biometric technologies
API API
BioAPI Framework
Device Device
Device Device 1 N
Evolution
ANSI
BioAPI BioAPI ISO/IEC
HA-API INCITS
1.0 1.1 19784-1
358
Biometric Operations
…
Y
SPI SPI SPI
BSP BSP BSP
Devices
Enroll (h,purpose,template,…)
GUI
Template
c f
Application
BioAPI Database
Bitmap/
Responses
stream
d BSP
Capture CreateTemplate
raw e
This function captures biometric data from the attached device for the purpose of creating a
ProcessedBIR for the purpose of enrollment.
Errors
BioAPIERR_USER_CANCELLED
BioAPIERR_UNABLE_TO_CAPTURE
BioAPIERR_INVALID_BIR_HANDLE
BioAPIERR_TOO_MANY_HANDLES
BioAPIERR_UNABLE_TO_STORE_PAYLOAD
BioAPIERR_TIMEOUT_EXPIRED
BioAPIERR_PURPOSE_NOT_SUPPORTED
BioAPIERR_UNSUPPORTED_FORMAT
BioAPIERR_RECORD_NOT_FOUND
BioAPIERR_QUALITY_ERROR
BioAPIERR_UNIT_IN_USE
See also the BioAPI Error Handling (clause 11)
BioAPI
Bitmap/
Responses “stored”
stream
e BSP
Capture Process Match Compare “live” v “stored”
“live” f g
Result = probability that user matches template
This function captures biometric data from the attached device (sensor unit), and compares it against the
Reference Template.
The application shall request a maximum FMR value criterion (threshold) for a successful match. The Boolean
Result indicates whether verification was successful or not, and the FMRAchieved is a FMR value (score)
indicating how closely the BIRs actually matched.
BioAPI
Bitmap/ many “stored”
Responses
stream
e BSP
Capture Process Match Compare “live” v all “stored”
“live” f g
Results = most likely candidates with probabilities
This function captures biometric data from the attached device (sensor unit), and compares it against a set of
reference BIRs (the Population).
The population that the match takes place against can be presented in one of two ways: a) in a BIR database
identified by an open database handle, or b) input in an array of BIRs.
The application shall request a maximum FMR value criterion for a successful match.
FF
• Biometric Identification Record (BIR) CBE ron
– Record containing biometric data Pat at
or m
– Template: BIR used for Enrollment
F
• Header is subject of joint standardization efforts
– BioAPI Consortium, CBEFF, ANSI X9.F4
• Biometric data is “opaque” to application
– Formats are registered with IBIA (www.ibia.org)
• May be standardized or proprietary
– May contain 1 or more samples in various states of processing
c f g i
e
Capture (h, verify..) Process Process VerifyMatch
Intermediate Intermediate Intermediate Template Result
GUI or Processed
BIR
or Processed
BIR
BIR +
Processed BIR
j
BioAPI BioAPI
Bitmap/ Responses
stream
BSP BSP
Capture Process Process Match
Client Server
29 October 2007 Biometric Summit
© Daon 103
BIP – BioAPI Interworking Protocol
• The BioAPI Interworking Protocol (ISO/IEC 24708)
specifies BioAPI framework-to-framework
communications
• BIP enables a BioAPI 2.x application running on a PC to
use a BSP running on a different PC to perform:
– Remote capture
– Remote verification
– Remote identification
– Remote enrollment, etc.
• The BIP messaging protocol is defined by using BioAPI
as a foundation – most BIP request/response messages
correspond to specific BioAPI functions
• BIP allows for multiple transport protocol bindings (e.g.,
SOAP over HTTP)
29 October 2007 Biometric Summit
© Daon 104
BIP Model (basic)
client system
local remote
component component
registry registry
local BSP remote BSP
biometric template
sensor database
Application
Module
Registry
Technology
“wrapper”
Module
- Function translation - User interface
- Data translation/packaging - Error handling/timeouts
- Score mapping - Data caching/handle mgmt
SDK
- Biometric operations - Algorithms
- Capture - Device interface/control
- Processing - Countermeasures
- Matching
Device driver
Device
Application
BAPI - Level 3
(High-Level)
BAPI - Level 2
(Mid-Level)
BAPI - Level 1
(Low-Level) BAPI
BAPI Device Manager (BD Manager) HAL
Common
Services
Biometric Device Module (BDM)
Port
Driver
Biometric Device
120
Accredited
ANSI Sub-Committee X9F4 Standards
Committee
• X9 - Financial Services
– X9F - Information & Data Security
• X9F4 - Cryptographic Applications
– X9.84 - Biometric Info. Mgmt. & Security (2003)
• X9.84 Scope
– Security of biometric data across its life cycle
– Management of the biometric data across its life cycle
– Usage of biometric technology for verification and identification banking
customers and employees
– Application of biometric technology for physical and logical access controls
– Encapsulation of biometric data
– Techniques for securely transmitting and storing biometric data
– Security of the physical hardware used throughout the biometric life cycle
• Status
– ISO version: ISO 19092-1 (Security Framework)
– Part 2 on hold: CD 19092-2 (Message Syntax & Crypto)
Data Matching
Collection
Transmission
Storage Decision
Signal Processing
Symbol represents the signal processing
Signal
Processing
component, also called feature extraction, which
may be hardware, software, or firmware.
Inputs: biometric data / objects
Outputs: biometric data / objects
† ANSI standard X9.84 Biometric Information Management and Security
Decision
Data Storage
Collection Signal
Processing
Identification Matching
Score
adaptation
Application
Application Decision
Yes/No
1 This requirement is changed in 19092. * Source: X9.84 Biometric Information Management and Security
Candidate List
Application
Application Decision
Verified
Identity
Score A
C Application
Application Decision B
Yes/No adaptation
X9.84-2001
– Abstract Syntax Notation One (ASN.1) objects
– Object Identifiers: 1,3,133,16,840,9,84,nn…
X9.84-2003
– ASN.1 ⇔ XML (Oasis XCBF)
– Add multiple biometric objects
– Update biometric hardware requirements
Biometric
Biometric
Header
Header
NIST/ITL
CBEFF
Version
Record Type
INCITS 358
Data Type
Purpose
BioAPI
Quality
Validity Period
Format
Biometric Data
No protection of Biometric Data –
string of binary octets
Biometric
Biometric
Biometric Object is a sequence of Header & Data
Object
Object
Integrity:
• Biometric Header
Biometric
Biometric • Biometric Data
Header
Header
Mechanisms:
Biometric Data • Digital Signature
• MAC
Integrity Block is a choice of one of four X9.73 CMS options:
Integrity
Integrity or or
Signed
Signed Authenticated
or Authenticated
= Signature
Signature MAC
MAC
Block
Block Data
Data Data
Data
Privacy
Privacy
Privacy Object is a sequence of
Object
Object Biometric Header & Privacy Block
Biometric
Biometric
OPTIONAL – cleartext Biometric Header
Header
Header
Privacy Block is a choice of one of four X9.73 CMS options:
Privacy
Privacy or or Established
Established
= Fixed
Fixed Key
Key Named
Named Key
Key
Block
Block Key
Key
Biometric
Biometric Header
Header
Ciphertext consists of Biometric Header &
Biometric Data
Biometric Data
Biometric
Biometric
OPTIONAL – cleartext Biometric Header
Header
Header
Integrity:
Privacy
Privacy Biometric
Biometric
Block
Block Object
Object
• Biometric Header
• Biometric Data
Integrity
Integrity Mechanisms:
Block
Block Biometric
Biometric Header
Header • Digital Signature
• MAC
Biometric Data
Application
Biometric
Biometric Object
Validation
Control
X9.84 Biometric Security
Objectives
BIR
BioAPI Framework
CBEFF
Cryptographic Biometric
Service Service
Provider Provider
148
ISO 7816-11
• ISO/IEC 7816 consists of the following parts, under the general
title Information technology — Identification cards - Integrated
circuit(s) cards with contacts:
’82’ 2 Patron header version number (default ‘xx01’), where xx is a Mandatory, if absent, the default value applies
patron identifier.
‘83’ 1-3 Biometric type Optional
‘84’ 1 Biometric subtype Optional, used only together with biometric type
‘85’ 1 Record data type N/A
‘86’ 1 Record purpose (verification) N/A
‘87’ 1 Record data quality N/A
‘88’ 7 Creation date and time of biometric reference data Optional
(CCYYMMDDhhmmss)
‘89’ 8 Validity period (from CCYYMMDD, to CCYYMMDD) Optional
‘8A’ 2 Identifier of product (PID) that created the biometric Optional
reference data, value assigned by IBIA, see www.ibia.org
‘8B’ 2 Format owner of the biometric reference data, value Mandatory
assigned by IBIA, see www.ibia.org
‘8C’ 2 Format type of biometric reference data, specified by format Mandatory
owner
‘90’ var. Index, unique identifier for the biometric reference data (see Optional
note 6)
‘91’ / var. Biometric matching algorithm parameters (primitive / Optional
’B1’ constructed), see note 5
29 October 2007 Biometric Summit
© Daon 151
Other smartcard standards
• ISO/IEC 7810
– Identification cards – Physical characteristics
• ISO/IEC 14443 A/B
– Identification cards – Contactless integrated circuit(s) cards
– Proximity cards
• ISO/IEC 15693
– Identification cards – Contactless integrated circuit(s) cards
– Vicinity cards
• In progress / being proposed
– SC17 On-Card matching project
PC/SC
driver
7816-11
http://csrc.nist.gov/piv-project/index.html
Ten-print
INCITS 378 Generator PIV Card
Fingerprint
(Sec. 3.3) Store (800-73)
Acquisition
(Table 1)
Pass
ANSI-NIST FBI
Fingerprint Type 4 or Type 14
Transmit
Background Check
Images Generator
(Sec. 3.5)
Pre-PIV Practice
163
Application Profiles
• Many standards contain “options”
– Leads to interoperability problems
• Within a particular application/domain, these options can be
narrowed
– Further constrain the implementation space
– Identify which options shall always/never be used
– Specify valid values/range of values
– When certain options/values should be used
– Common interpretations of ambiguous requirements
– Any domain specific extensions
• Examples:
• Common Criteria
– Biometric Protection Profiles
• Information assurance for biometric products
• Drafts in UK and US
– Biometric Evaluation Methodology (BEM)
• Testing
– Performance Testing Best Practices
• UK Biometrics Working Group
Cross-jurisdictional/societal – 24714
• Path 1: IT Product
Developer self IT Product 1
Developers consumers
declaration of conformity
• Path 2: Second Party 2
2 3 4
Testing
User3
• Path 3: Conformance Testing Lab 3 Validated
4 Products
demonstrated by
Accredited Validation/ Lists/
evaluation in accredited Testing Labs Certification Certificates
Laboratory 4 Bodies 4
laboratory
Accreditation
• Path 4: Conformance Bodies
demonstrated by
evaluation and One standard, one test report, accepted everywhere
validation/certification Source: NIST & BAH