300 likes | 441 Views
Biometrics in eB/eG and the Role of the Emerging BIAS Standard. Cathy Tilton – Chair BIAS Integration TC VP, Standards & Emerging Tech, Daon Matt Swayze – Project Editor, BIAS (INCITS) Senior Solutions Architect, Daon. Questions to be answered.
E N D
Biometrics in eB/eG and the Role of the Emerging BIAS Standard Cathy Tilton – Chair BIAS Integration TC VP, Standards & Emerging Tech, Daon Matt Swayze – Project Editor, BIAS (INCITS) Senior Solutions Architect, Daon
Questions to be answered • How do newer technologies like biometrics fit into today's eB/eG & SOA environments? • What standards support its use? • How will the new Biometric Identity Assurance Services (BIAS) help?
Large Government Law enforcement Forensics Background checks Prisons Inmates, visitors, guards Defense Perimeter security, weapons systems, networks, red force identification Refugee handling Civil Credentialing programs Border management Pre-entry, Entry, Exit, Status Management/ Benefits Transportation security Critical Infrastructure Protection Schools Commercial Access Control Physical access Logical access Employee credentialing Health Care Med records (HIPAA) Patient ID Pharmacy Finance Teller sign-on Transaction auditing Virtual branch Check cashing/POS Manufacturing IP protection Manuf. Control Events e.g., Olympics Biometrics - Uses
Needs for eB/eG 2 Primary Needs Generic Biometric Services Integrated Authentication Services
How biometrics work Enrollment: Present biometric Capture Process Store No Match Compare Verification: Match Present biometric Capture Process
Generic requirements • Manage biometric & associated biographic data for a given subject/population • Perform biometric operations (e.g., searches) against a population(s)
Authentication requirements • Perform biometric operations & utilize results within an authentication protocol • e.g., Integrate within SAML, WS-S, etc. • Accommodate multiple authentication architectures (i.e., local, server based) • Use of biometric to release authentication token/assertion • Biometric verification server Note: INCITS M1 Study on Biometrics in E-Authentication.
Registration/Enrollment Subscriber Identity + Biometric Est. Identity + biometric RA CSP Credential Credential • Applies • Identity proofing • Enrolls biometric • Register Biometric • Build Credential (bind • identity to ref. biometric) Biometric Authentication Server Authentication Claimant Verifier Claimed identity + Live biometric Assertion Relying Party Access • Requests access • Verifies identity (through • biometric matching) • Checks authorization • Grants access Process modification of SP800-63.
Plan of attack • Define basic services (INCITS) • Define first binding (OASIS) • Future – • Define additional bindings (e.g., ebXML, fastweb, etc.) • Address use within authentication/security protocol • Extend base capabilities (e.g., notifications)
Biometric standards BIAS ANSI/INCITS & ISO Data formats CBEFF BioAPI, BIP Justice NIEM/GJXDM EFTS/NIST Other standards WS* SOAP/HTTP Security WSS, SAML ISO/IEC 19092 ISO SC27 work ACBio Biographics ANSI/NIST, GJXDM CIQ, HR-XML, UN/CEFACT Standards
Biometric Identity Assurance Services (BIAS) Biometric Resources Biometric Applications ? ANSI/NIST-ITL 1-2000/7 ? BioAPI/BIP ? Other ? • In reviewing the current biometric-related standards portfolio and system oriented architecture (SOA) references, it became apparent that a gap existed in the availability of standards related to biometric services.
BIAS – Driving Requirements • Provide ability to remotely invoke biometric operations across an SOA infrastructure, decoupling the service from the interface (and requester) that calls it. • Provide business level operations, without constraining the application/business logic that implements those operations. • Provide basic capabilities that can be used to construct higher level, aggregate/composite operations. • Be as generic as possible – technology, framework, and application domain independent.
INCITS & OASIS Collaboration • Development of the BIAS standard requires expertise in two distinct technology domains to ensure that the final specification provides the right structure, functionality, and technical details: • Biometrics, with standards leadership provided by INCITS M1 • Service Architectures (initially focused on Web services), with standards leadership provided by OASIS • Close collaboration between both standards organizations is required: • Existing standards are available in both domains and many of these standards will provide the foundation and underlying capabilities upon which the biometric services depend.
Goals • BIAS will provide an open framework for deploying and invoking biometric-based identity assurance capabilities that can be readily accessed using services-based frameworks. • BIAS will provide a generic set of biometric (and related) functions and associated data definitions to allow remote access to biometric services. • BIAS will specify a set of patterns and bindings for the implementation of BIAS operations using Web services within service-oriented architectures.
BIAS System Context (INCITS M1) • BIAS services are modular and independent operations which can be assembled in many different ways to support a variety of business processes. • BIAS services may be implemented with differing technologies on multiple platforms. • BIAS services can be publicly exposed directly and/or utilized indirectly in support of a service-provider’s own public services.
BIAS System Context (OASIS) • Defines an XML messaging protocol to implement the “abstract” services specified in INCITS M1. • Defines request, response, acknowledgement, notification, and fault messages (as applicable) for each of the “abstract” services
Subject Create/delete subject Add/remove subject from gallery Biographics Set/list biographic data Update/delete biographic data Retrieve biographic data Biometrics Set/list biometric data Update/delete biometric data Retrieve biometric data Searching/processing Verify subject Identify subject Check quality Classify biometric data Perform fusion Transform biometric data Aggregate services Enroll Identify Verify Retrieve information BIAS Services
Process flow – border mgmt example Known Subject? Identify Subject … Start Save and Associate Encounter Match Found? Set Biographic Data Set Biometric Data Finish Yes No Create New Subject Create Subject Set Biographic Data Set Biometric Data Add Subject To Gallery Finish
Example eG use case • Registered Traveler Program • RT is a trusted passenger program to expedite and enhance security screening of passenger participants • Travelers must apply to enroll in the program via a service provider, which collects biographic and biometric information as part of the application process • The TSA conducts a Security Threat Assessment on all applicants • If approved, a traveler is issued an RT card containing authentication information • In operational use, a cardholder is verified to ensure legitimacy using fingerprint or iris biometrics
RT – Functional Flow • The Enrollment Provider collects biographic and biometric information from an RT Applicant and transmits it to the CIMS (Steps 1 and 2) • The CIMS formats and transmits the data to the TSA (Step 3). • The TSA conducts a Security Threat Assessment at application and re-vets on a perpetual basis (Step 4) and transmits an approved or not approved finding back to the CIMS (Step 5). • The CIMS informs the Enrollment Provider of acceptance or non-acceptance (Step 6), and the Enrollment Provider informs the RT Applicant and issues a card with the authentication payload created at the CIMS if he or she is approved (Step 7). • When an RT Participant travels through a participating airport, they use the RT card at an RT verification station which confirms the individual’s current status in the RT program (Step 8).
Applying BIAS to RT – Step 1 • Pre-Enrollment • Each traveler applying for an RT card may, if supported by the Enrollment Provider, pre-enroll • This involves accessing a web-site and entering biographic data. This data is stored for the applicant. • BIAS Services • Create Subject • Add Biographic Data
Applying BIAS to RT – Step 2 • Enrollment • Complete the enrollment process by reviewing biographic information supplied at pre-enrollment and collecting biometric information • BIAS Services • (EP Internal) Retrieve Biographic Data • (EP Internal )Update Biographic Data (if any edits to biographic information) • (EP Internal) Set Biometric Data • (CIMS interface) Enroll
Applying BIAS to RT – Steps 3-6 • Registration, Vetting Coordination, and Card Payload Generation • Submit a request to TSA for a Security Threat Assessment • BIAS Services • (CIMS internal) Create Subject • (CIMS internal) Set Biometric Data • (TSA interface) Identify • (CIMS internal) Add Subject to Gallery
Applying BIAS to RT – Step 7 • Create Card • If all enrollment processing completes with no adverse information, resulting in an “approval” decision, then the RT card may be issued • BIAS Services • (EP internal) Add Subject to Gallery
Applying BIAS to RT – Step 8 • Verification • The traveler’s biometric is captured and compared against the biometric information stored on the card • BIAS Services • (EP internal) Verify Subject
Example eB use case – Online Banking • Overview: • An individual has an existing bank account at XYZ Bank and would like to access this account information and perform transactions. • In lieu of a password, the bank has configured their online banking web application to use biometric verification. • The account holder uses a home PC with a biometric device (e.g., an iris camera) installed. • Two situations described: • Enrollment: associated biometric information with the account • Account Access: access the account using a biometric as the method of verification Note: This example could also be structured using biometrics as a front-end to a traditional authentication protocol.
Online Banking – Enrollment (1) One-time biometric enrollment password (2) Verify password and initiate biometric enrollment (3a) Capture biometric information (3b) Perform local 1:1 verification (4) Submit biometric information [Set Biometric Data] Account Holder XYZ Bank • The bank has issued the individual a one-time password to allow the account holder to enroll biometric information into the system. • The individual accesses the online banking site and selects ‘biometric enrollment’. The individual enters the account number and one-time password to access this function. Once verified, the enrollment application is initiated. • The individual follows the steps to capture biometric data and to perform a local 1:1 match against that data to ensure it will be matchable. • Once suitable data is acquired, it is submitted to the bank as an enrollment [Set Biometric Data].
Online Banking – Account Access (1) Access online banking system (2) Capture biometric information (3) Submit biometric information [Verify Subject] Account Holder XYZ Bank • The account holder accesses the online banking site and enters the account number. At this point, the individual is challenged to present a biometric (e.g., capture iris data). • The individual interacts with the device to capture the biometric data. • The biometric data is transmitted to the bank for verification [Verify Subject]. If the verification is successful, the bank will provide access to the transaction screens for the individual's account.
Status • INCITS project 1823-D, BIAS • Essentially complete • Expected to go to public review in April timeframe • Latest draft (Rev 4): http://www.incits.org/tc_home/m1htm/2006docs/m1061071.pdf • OASIS document: BIAS Messaging Protocol • Working draft – WSDL complete, gaps in other areas • Latest draft (Ed draft 0.8): http://www.oasis-open.org/committees/download.php/22543/bias-1%200-biasmp-ed-08.pdf • WSDL: http://www.oasis-open.org/committees/download.php/22544/bias.wsdl • Goal: Ready for review by Fall 2007