260 likes | 557 Views
Introduction to Biometrics. Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #21 Biometrics Standards - I November 7, 2005. Outline. Why Standards? NIST Standards DoD Biometrics International Biometric Group Directions Reference: Chapter 17
E N D
Introduction to Biometrics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #21 Biometrics Standards - I November 7, 2005
Outline • Why Standards? • NIST Standards • DoD Biometrics • International Biometric Group • Directions • Reference: • Chapter 17 • http://www.itl.nist.gov/div893/biometrics/standards.html • http://www.biometrics.dod.mil/SiteComponents/References.aspx • http://www.biometricgroup.com/reports/rpt_standards.html
Why Standards? • Communication Methods between biometric devices and systems • Feature extraction methods • Data comparison methods • Content and length of biometric template • Storage and retrieval of biometric data
Biometrics Standards: Overview • An indication of the current substantial growth and interest in biometrics is the emergence of biometrics industry standards and related activities. • Standards have become strategic business issues. • For any given technology, industry standards assure the availability of multiple sources for comparable products and of competitive products in the marketplace. • Standards will support the expansion of the marketplace for biometrics.
Biometrics Standards: Overview • After the tragic events of September 11, there is an increased emphasis on biometrics standards. • ITL (Information Technology Laboratory) of NIST (National Institute of Standards and Technology is developing standards to help end-users and the industry in accelerating the deployment of needed, standards-based security solutions in response to Critical Infrastructure protection and Homeland Defense/Security requirements. • ITL is accelerating the development of biometric standards (e.g., technology-independent interoperability and data interchange) in collaboration with Federal Agencies, other end-users, biometric vendors and the IT industry.
INCITS Biometric Technical Committee: M1 • Technical Committee M1, Biometrics, has been established by the Executive Board of the International Committee for Information Technology Standards (INCITS) to ensure a high priority, focused, and comprehensive approach in the United States for the rapid development and approval of formal national and international generic biometric standards. • Critical generic biometric standards include common file formats and application program interfaces • The M1 Document Register provides information on the current M1 activities, presentations given during the first M1 meeting (January 16-17, 2002) and a summary of the resolutions taken at the meeting or by letter ballots. • M1 has forty two members from private industry, government agencies and academia. A first meeting Convener's report is available in the M1 Document Register.
INCITS Biometric Technical Committee: M1 • M1 Ad-Hoc Group: Ad-Hoc Group on Evaluating Multi-Biometric Systems (AHGEMS), is responsible for a Study Project on the concepts of operation and methods of performance evaluation for multi-biometric systems. • M1 has created five new Task Groups to handle increased activity in biometrics. • M1.2, the Task Group on Biometric Technical Interfaces, covers the standardization of all necessary interfaces and interactions between biometric components and sub-systems, including the possible use of security mechanisms to protect stored data and data transferred between systems. • M1.2 will also consider the need for a reference model for the architecture and operation of biometric systems in order to identify the standards that are needed to support multi-vendor systems and their applications.
INCITS Biometric Technical Committee: M1 • M1.3, the Task Group on Biometric Data Interchange Formats, focuses on the standardization of the content, meaning and representation of biometric data interchange formats. • Currently, assigned projects are: • Finger Pattern Based Interchange Format, • Finger Minutiae Format for Data Interchange, • Face Recognition Format for Data Interchange, • Iris Interchange Format, • Finger Image Based Interchange Format, • Signature/Sign Image Based Interchange Format, and • Hand Geometry Interchange Format.
INCITS Biometric Technical Committee: M1 • M1.3 Ad-Hoc Group: Ad Hoc Group on Data Quality, is addressing means of quality and ways of expressing and interpreting the quality of a biometric sample. • M1.4, the Task Group on Biometric Profiles, covers the standardization of Application Profile projects. • Currently, assigned projects are: • Application Profile for Interoperability and Data Interchange - Biometric Based Verification and Identification of Transportation Workers, • Application Profile for Interoperability, Data Interchange and Data Integrity - Biometric Based Personal Identification for Border Management, • Application Profile for Point-of-Sale Biometric Verification/Identification
INCITS Biometric Technical Committee: M1 • M1.4 Ad-Hoc Group: M1.4 Ad Hoc Group on Biometrics and E-Authentication (AHGBEA), is responsible for developing a technical report describing suitability of biometric architectures, security requirements and recommendations for the use of biometrics for e-authentication. • AHGBEA is also responsible for examining related biometrics and security issues related to the topics addressed in the Ad-Hoc Group's Terms of Reference. • M1.5 is the Task Group on Biometric Performance Testing and Reporting handles the standardization of biometric performance metric definitions and calculations, approaches to test performance and requirements for reporting the results of these tests.
INCITS Biometric Technical Committee: M1 • M1.6, the Task Group on Cross Jurisdictional and Societal Issues addresses study and standardization of technical solutions to societal aspects of biometric implementations. • Excluded from the TG's scope is the specification of policies, the limitation of usage, or imposition of non-technical requirements on the implementations of biometric technologies, applications, or systems. • M1.6 is responsible for US technical contributions to JTC1 SC 37 WG 6 on Cross-Jurisdictional and Societal Issues.
Common Biometric Exchange File Format (CBEFF) • CBEFF describes a set of data elements necessary to support biometric technologies in a common way independently of the application and the domain of use (e.g., mobile devices, smart cards, protection of digital data, biometric data storage). • CBEFF facilitates biometric data interchange between different system components or between systems, promotes interoperability of biometric-based application programs and systems, provides forward compatibility for technology improvements, and simplifies the software and hardware integration process. • CBEFF is being augmented under the NIST/BC Biometric Interoperability, Performance and Assurance Working Group to incorporate a compliant smart card format, Product ID, and a CBEFF nested structure definition.
Biometric Interoperability Performance Assurance Working Group • NIST and the Biometric Consortium have established this Working Group to support advancement of technically efficient and compatible biometric technology solutions • The Working Group has the following Task Groups/Technical Development Teams: • Testing Ad-Hoc Group – basic testing methodology • Assurance Ad-Hoc Group)– biometrics assurance issues, review of protection profiles • CBEFF Technical Development Team - augmented CBEFF under development (e.g., compliant smart card format, Product ID, nested structure)\ • Biometric Template Protection & Integrity Task Group ( (e.g., risk of re-insertion, template transformations) • Biometric Security Task Force - (e.g., vulnerability of biometric data to different attacks, non-repudiation)
BioAPI • This specification defines the Application Programming Interface and Service Provider Interface for a standard biometric technology interface. • BioAPI V1.1 defines an open system standard API that allows software applications to communicate with a broad range of biometric technologies in a common way. • As an “open systems” specification, the BioAPI is intended for use across a broad spectrum of computing environments to insure cross-platform support. • BioAPI V1.1 was developed by the BioAPI Consortium and specifies standard functions and a biometric data format which is an instantiation of CBEFF.
Human Recognition Services Module (HRS) of the Open Group's Common Data Security Architecture (CDSA) • HRS is an extension of the Open Group’s Common Data Security Architecture. • CDSA is a set of layered security services and a cryptographic framework that provides the infrastructure for creating cross-platform, interoperable, security-enabled applications for client-server environments. • The CDSA solutions cover all the essential components of security capability, to secure electronic commerce and other business applications with services that provide facilities for cryptography, certificate management, trust policy management, and key recovery. • The biometric component of the CDSA’s HRS is used in conjunction with other security modules (i.e., cryptographic, digital certificates, and data libraries) and is compatible with the BioAPI specification and CBEFF.
Biometrics Management and Security for the Financial Services Industry • American National Standards Institute (ANSI) X9.F4 Working Group specifies the minimum security requirements for effective management of biometrics data for the financial services industry and the security for the collection, distribution and processing of biometrics data • It specifies: • (1) the security of the physical hardware used throughout the biometric life cycle; • (2) the management of the biometric data across its life cycle; • (3) the utilization of biometric technology for verification/identification of banking customers and employees; • (4) the application of biometric technology for physical and logical access controls • (5) the encapsulation of biometric data; and • (6) techniques for securely transmitting/storing biometric data.
Fingerprint Standard • This ANSI standard specifies a common format to be used to exchange fingerprint, facial, scars, mark and tattoo identification data effectively across jurisdictional lines or between dissimilar systems made by different manufacturers. • All Federal, state and local law enforcement data is transmitted using the ANSI-NIST standard. • This standard is a key component in allowing interoperability in the justice community.
Fingerprint Minutiae Format/National Standards for the Driver License/Identification Card • American Association for Motor Vehicle Administration (AAMVA) Driver’s License and Identification (DL/ID) Standard provides a uniform means to identify issuers and holders of driver license cards within the U.S. and Canada. • It specifies identification information on drivers’ license and ID card applications. • For Bar codes, integrated circuit cards, and optical memory, the AAMVA standard employs international standard application coding to make additional applications possible on the same card. • The standard specifies minimum requirements for presenting human-readable identification information including the format and data content of identification in the magnetic stripe, the bar code, integrated circuit cards, optical memories, and digital imaging. • It also specifies a format for fingerprint minutiae data that would be readable across state and province boundaries for drivers’ licenses. • Compatible with the BioAPI specification and CBEFF.
Identification Card • This standard is being developed as Part 11 of the ISO/IEC 7816 standard. • The scope is specifying security related inter-industry commands to be used for personal verification with biometric methods in integrated circuit cards (e.g., smart cards). • It also defines data elements to be used with biometric methods. • This standard is under development in the International Standards Organization (ISO) Subcommittee (SC) 17, Working Group 4.
DoD Biometrics • On 25 August 2003, Deputy Secretary of Defense Paul Wolfowitz signed a memorandum titled, “Department of Defense (DoD) Biometrics Enterprise Vision.” • In this memorandum, Mr. Wolfowitz directed the BMO (Biometrics Management Office) to perform the following two actions: • (1) “ensure that a scalable biometrics component of the Global Information Grid (GIG) infrastructure is in place” and • (2) ensure “that the appropriate standards, interoperability tools, testing frameworks, and approved product validations are available to assist the DoD Components in using this technology.”
DoD Biometrics • BMO is developing the DoD Application Profile, which describes an infrastructure for collecting biometric data from personnel. • The BMO is also developing conformance testing standards that specify the concepts, frameworks, test methods, and criteria that must be achieved to certify the conformity of vendors’ products to biometric standards. • BMO has initiated the Biometric Conformity Assessment Initiative to ensure the DoD implements biometric technology that is interoperable, properly tested, and certified.
DoD Biometrics • DoD Electronic Biometrics Transmission Specification describes customizations of the FBI Electronic Fingerprint Transmission Specification transactions that are necessary to utilize the DoD Automated Biometric Identification System. • DoD Electronic Biometrics Transmission Specification Overview discusses the overall content and purpose of the transmission of biometric data • Department of Defense Biometrics Standards Development, Recommended Approach : A recommended approach to ensure that appropriate biometric standards, interoperability tools, testing frameworks, and approved product validations are available to the DoD community. • Homeland Security Presidential Directive / Hspd-12 : Outlines the policy for a Common Identification Standard for Federal Employees and Contractors.
DoD Biometrics • Forensic DNA Typing and Prospects for Biometrics DNA analysis, typing technologies, and implications and expectations for the use of DNA in biometric applications. • Proceedings, U.S. Government Workshop, Biometrics Standards in Support of the Global War on Terrorism DoD BMO, DHS, NIST Proceedings from the 25 May 04 Workshop to determine the work and coordination required to ensure that U.S. Government biometric standards development efforts effectively support the Global War on Terrorism. • Review of GAO Report on Information Security – Technologies to Secure Federal Systems Information Paper summarizing the GAO Report (GAO-04-467) on cybersecurity technologies that includes a section on authentication technologies and biometrics.
IBG: International Biometric Group • IBG closely tracks all biometric standards efforts, and IBG is active in all of the critical standards activities in the biometrics industry, including M1, BioAPI, SC37, x9.84 and others. • Designed for vendors, integrators, and deployers, the "State of Biometric Technology Standards" report provides critical information on standards relevant to biometric products, applications, and deployments. • Standards addressed include BioAPI, BAPI, CDSA/HRS, CBEFF, X9.84, M1 activities and SC37 activities (including interoperable template formats, interoperable data formats, biometric performance testing, biometric security evaluations), ANSI/NIST ITL 2000, ANSI B10.8, ICAO (SC17), biometrics and card technologies, and biometrics and cryptographic systems (x.509).
Directions • Biometrics Standards will facilitate growth in the Biometrics Industry • Government and corporation who are users of the technology have driven the standards even more than the biometrics vendors • Challenge is to promote standards while promoting innovation with biometrics technologies
Directions • Development of the Standards • Development of the Products • Evaluation of the products • What are the criteria used to evaluate the products? • How do the products conform to the standards? • Are there ratings? • Is there a list of evaluated products • Similar to the National Computer Security Center's list of evaluated securer system products