Docstoc

Organization Chart - PowerPoint - PowerPoint

Document Sample
Organization Chart - PowerPoint - PowerPoint Powered By Docstoc
					                         Biometric Standards

   What standards exist, how are they evolving, and
    what is their impact on the biometric industry

                           Catherine J. Tilton
                   Director, Special Projects, SAFLINK
                        Chair, BioAPI Consortium

11417 Sunset Hills Rd, Suite 106
Reston, VA 20190
703-708-9280
(fax) 703-708-0014
ctilton@saflink.com

                                                         1
Agenda

•   Introduction
•   Data/interchange standards
•   API standards
•   Other standards
Biometric Standards

• Purpose of any standard:
  –   Interchangeability
  –   Interoperability
  –   Increased competition
  –   Reduced risk
• Areas of standardization:
  –   Raw/processed data/data interchange
  –   Programming interfaces
  –   Independent certification
  –   Industry conduct
Fingerprint Standards

• Data Format for the Interchange of Fingerprint
  Information (ANSI/NIST-CSL 1-1993)
   – 500 dpi, 8-bit grayscale
• FBI WSQ standard for fingerprint image
  compression/decompression (15:1)
   – CJIS/FBI IAFIS-IC-0110
• FBI Electronic Fingerprint Transmission
  Specification
   – http://www.biometrics.org/REPORTS/FBIfp.html
• FBI Appendix F & G
   –   CJIS-RS-0110
   –   Fingerprint image quality specification (IQS)
   –   Written for scanning of inked prints on paper
   –   Specifies linearity, S/N, modulation, etc.
Facial Photo/Signature Standards
• AAMVA Best Practices
   – BPR for Digital Imaging 1.0
      • Photo
         – 16/24-bit color, JPEG, 300 dpi
         – 1” x 1.3” min (3:4 aspect ratio)
      • Signature
         – 8 bit grayscale, JPEG, 100 dpi
   – http://www.aamva.org/aamvanet/standards/
• ANSI/NIST-CSL-1a-1997 Amendment
   – Data Format for the Exchange of Fingerprint, Facial, and SMT
     Information
   – SMT = Scars, Marks, and Tattoos
• Mugshot standards
   – ANSI B10.8 Digital Imaging Document 98008
   – gslagle@aamva.org
Imaging Standards
• ANSI B10.8 Drivers License/Identification Cards
   – Draft standard
   – Includes annexes for:
      • Finger Imaging
      • Digital image compression
      • Photo/Signature
      • File exchange formats
      • Capture conditions
   – Generally consistent with AAMVA best practices
• ISO 10819-1:1994 Information Technology -
  Digital compression and coding of continuous
  tone still images: Requirements and Guidelines
• Limited applicability to biometrics
Other data standards
• Proposal by WG3, the ISO working group under
  SC17
   – Responsible for development of international standards
     as they relate to passports and travel documents
   – Prepared by ICAO TAG-MRTD (NTWG)
   – WG10 (International standard for the DL) involved
• Framework Document: Logical Record Format for
  Capacity Expansion Technologies on MRTDs
   – Machine Readable Travel Documents
• Includes fields for:
   – Encoded: hand, face, finger, eye, signature, voice
   – Displayed: portrait, fingerprint, signature/mark
• Currently in review
Template Standards

• Not here yet
• Early standard (ANSI/NBS-ICST 1 1986) not used
   – Processed data highly proprietary
   – Template data tuned to device/algorithm to provide
     competitive advantages
• Work centered initially on fingerprint
   – Law enforcement dilemma
   – IAI/Higgins study
• NIST sponsored meeting on 21 Feb 99
   – Spawned CBEFF effort
   – Subgroup effort contemplated regarding fingerprint
     minutiae for authentication
Common Biometric Exchange File Format
(CBEFF)
• Biometric Consortium Working Group
• Principles:
   – Advantage of standard file format to facilitate exchange
     and interoperability of biometric data
   – Should include all modalities of biometrics (technology
     blind), not biasing for/against any
   – Format should not attempt to translate among different
     biometric technologies, but to identify them and
     facilitate their co-existence
• Purpose of specification
   – Facilitate interoperability between different biometric
     technologies
   – Provide forward compatibility for technology
     improvements
   – Simplify the hardware/software integration process
CBEFF Patrons & Clients

                                                   CBEFF

                                     Derives
                                     From




   Patron’s                                           X9.84              Future
                        BioAPI                      Biometric            Format
   Formats               BIR                                            Definition
                                                     Object


               Places
               Data into



                                               Standard
               Company A’s   Format                        Format     Future    Format
   Clients                    Owner            Body B’s    Owner                Owner
                Biometric                                           Biometric
                               &               Biometric     &                    &
    Data           Data                                              Package
                           Format Type           Data      Format               Format
                 (BSMB)                                     Type
                                                                    (BSMB)       Type
                                               (BSMB)


              Identified By
Common Biometric Elements

•   Security Options
                                        Mandatory Field
•   Integrity Options
                                        Optional Field
•   Header Version
•   Biometric Type
•   Data Type
•   Purpose
•   Quality
•   Creation Date
•   Format Owner
•   Format Type
•   Biometric Specific Memory Block (BSMB)
•   Signature
Registering Format Owner/Types

• IBIA will be the registration authority
  – Small registration fee
  – Web Enabled registration:
    http://www.ibia.org/formats.htm
  – Web enabled access to registered Format
    Owner and type assignments.
• Format Owner Registration (e.g. company,
  organization, etc.)
• Format Type Registration (e.g. product)
Current CBEFF Compliant Formats

• Basic Minimal Format
  – Legacy products
• BioAPI Biometric Information record (BIR)
  – All BioAPI complaint products
• X9.84 Biometric Object
  – Secure transmission of Biometric data


• Proposed:
  – Smart Card Format
     • TLV encoding
Other standards

• FIPS 190: Guideline for the Use of
  Advanced Authentication Technology
  Alternatives.
  – http://csrc.ncsl.nist.gov/fips/fip190.txt
API Standards

• Application Program Interface
  – Defined way for a software application to communicate
    (request services and receive responses) with a
    technology/service module
  – Example: Microsoft Crypto API (CAPI)
  – Usually composed of a set of function calls with
    data/control parameters and defined data structures
  – Generally provided with any SDK
• Biometric APIs
  – An API standard defines a common method of
    interfacing to a particular technology
  – A biometric API standard defines a generic way of
    interfacing to a broad range of biometric technologies
API Standards




  BSP = Biometric Service Provider Module
Why is a biometric API standard needed?

• Addresses “lock-in” issue
• Key indicator of industry maturity
• Required to be competitive with other
  technologies
• Allows users across the enterprise to select the
  biometric that works best in their environment,
  while sharing the same software solutions
• Enables employers to comply with ADA, by
  affording an alternate biometric for someone
  unable to use the primary biometric
Why is a biometric API standard needed?

• Benefits:
  – Rapid application development
  – Easy adoption of new technology into existing
    solutions (exploit price/performance
    improvements)
  – Increased competition, which tends to lower
    prices
  – Allows:
     • Substitution of biometric technologies
     • One application to integrate multiple
       biometric technologies using the same
       interface
     • Leveraging of a single biometric technology
       across multiple applications
Biometric APIs

• SDKs - nonstandard, proprietary, single biometric
  type/vendor
• Single type API
   – SVAPI
• Generic biometric API
   –   HA-API
   –   IBM AIS
   –   BAPI
   –   BioAPI
   –   UAS
Existing APIs

• SVAPI
   – Lower level API specific to speaker verification.
• HA-API
   – High level API intended to simplify the integration of
     biometrics into an application.
• BioAPI
   – Broader API in both breadth and depth
   – Provides extensive management and support framework
• BAPI
   – Lower level API which standardizes the interface to different
     biometric devices
• IBM AIS API
   – Now subsumed into BioAPI effort
• Intel HRS (formerly UAS)
   – Extension to the existing CDSA security framework
   – Addresses biometrics, smart cards, etc.
   – Based on BioAPI, with some minor differences
1996          1997          1998            1999               2000

Proprietary                             UAS Draft
                                  HRS/UAS Draft
SDK APIs
                                                        Hold
         SVAPI
                                                                      Fast Track
              HA-API
              Concept             WG     Comm. Ctrl
                                                                        New
                Contract   Ver       Ver                                 Top
                           1.03       2.0                               Level
                                    Implementations     “New” BioAPI
                                                       Merged API
                      IBM AIS             Negotiations     PubMerged
                                                               Rev
                                                                API
                                                                  Ver Ref
                                     BioAPI                       1.0 Impl
                                        Announcement
                                         Architecture
                                               Lev H                     MS
                                                                        Anncmt
                              BAPI
HA-API

•   Current, defacto standard
•   High level, generic biometric API
•   Minimal function calls and framework/overhead
•   “Elegant simplicity”
•   Quick and easy integration
•   Interchangeability among BSP modules
•   GUI & device control provided by BSP
•   C/S comms & DB mgmt provided by app
•   1:1 only (Ver 2.0)
•   Initially C, Win32
BioAPI

• Combined effort towards single industry standard
  biometric API
• 77 member BioAPI Consortium
• Intense effort to develop specification
   –   Ver 1.0 released 30 March 2000
   –   Reference implementation beta released Sep 2000
   –   Ver 1.1 of both due out in March 2001
   –   Conformance test suite in progress
   –   Linux port expected soon after release of 1.1
• Takes “best of breed” from other APIs
• Extends HA-API to add:
   – Identify and database functions
   – Client/server and security support
   – Support for application controlled GUI
BiopAPI Membership
 Acsys Biometrics USA, Inc.      Identification & Verification Int’l   OKI Electric
 Ambition Global Co., Ltd.       Identix                               Omnikey
 American Biometric Company      Image Computing Inc. (ICI)            Precise Biometrics
 Authentec                       Infineon Technologies                 Presideo
 Barclays Bank                   Intel Corporation *                   Raytheon
 Bergdata USA, Inc.              I/O Software, Inc.                    Recognition Systems
 BioFinger Tech. Corp.           Iridian Technologies *                SAFLINK *
 BioLink Technologies Intl.      ISC/US Inc.                           Sagem-Morpho
 Biometix                        ITT Industries                        Sec2Wireless
 Biometric Identification Inc.   J. Markowitz Consulting               Secugen
 Biometrics.co.za                Janus Associates                      Sensecurity Pte Ltd
 BioNetrix                       Kaiser Permanente                     Startek
 BioPassword Security Systems    Keyware Technologies                  STMicroelectronics
 Business Integ. Tech. Solns     LCI SmartPen n.v.                     Systemneeds, Inc.
 Compaq *                        Leading Edge Secty Ltd.               TechGuard Security
 Configate, Ltd.                 Locus Dialogue                        Telework Corporation
 Datastrip, Inc.                 Logico Smartcard                      Transaction Security
 Dialog Comm. Systems AG            Solutions GMBH                     Transforming Technologies
 Digital Persona                 Miaxis Biometrics Co.                 TRW
 eCryp, Inc.                     Mytec Technologies. Inc. *            UniSoft Corporation
 eTrue, Inc.                     Nanyang Tech. Univ.                   Unisys *
 Fidelica Microsystems, Inc.     Natl Biometrics Test Cen.             Veridicom
 Fingerprint Cards AB            NIST *                                Viatec Research
 Gemplus                         National Security Agency              Visionics
 Hewlett-Packard                    (NSA)                              Who?Vision
 Hunno Technologies              NEC Corporation
 Identification Systems          Neurodynamics Ltd.
   DERMALOG GMBH
Leadership

• Steering Committee        • Working Groups
  – Compaq, John Hurd         – Applications (AWG)
  – Intel, John Wilson           • John Wilson, Intel
    (Technical Editor)        – Device level (DWG)
  – Iridian, Jim Cambier         • Aaron Watson, I/O
    (Treasurer)                    SW
  – Mytec, Colin Soutar       – External Liaison (XWG)
  – NIST, Fernando Podio         • Fernando Podio, NIST
  – SAFLINK, Cathy Tilton     – Reference
    (Chair)                     Implementation (RWG)
  – Unisys, Fred Herr            • Colin Soutar, Mytec
    (Secretary)               – Conformance Test Suite
                                (CWG)
                                 • Jim Cambier, Iridian
BioAPI 1.0
                                                      Application


                                                          Bio API 1.0
                    Mgmt Functions                        Biometric Functions        Database Functions
                   Module Management
  BioAPI Runtime




                                                 Capture      Process    Verify       Add
                       Functions
                                                                                         Get
                    Utility Functions         Identify       ID_Match    Ver_Match
                                                                                            Delete
                   Handle Operations
                                                 Enroll       Update       Import              Query


                                          Biometric Service Provider Interface
                               Internal biometric service providers development interface


                      Finger             Voice               Face           Hand       Signature
                       BSP               BSP                 BSP            BSP           BSP

                      Capture           Capture             Capture       Capture       Capture
                      Device            Device              Device        Device        Device
 BioAPI Specification
       BASIC FUNCTIONS                          PRIMITIVE FUNCTIONS
• BSP Management Functions                  • Capture
                                               – CapturedBIR is an “intermediate” BIR
   – ModuleLoad                                – Purpose recorded in BIR
      • Load BSP & enable events               – AuditData is “raw” BIR
   – ModuleAttach                           • CreateTemplate
      • Attach BSP to BioAPI framework         – Purpose must be “Enroll…”
• Enroll User                                  – NewTemplate can be an adaptation of
                                                 a StoredTemplate
   – Enroll
                                            • Process
      • Create template & store in user
                                               – Purpose must be Verify or Identify
        account DB
                                               – Converts “intermediate” to
• Verify asserted identity (1:1)                 “processed” BIR (if algorithm installed
                                                 in BSP)
   – Verify
                                            • VerifyMatch
      • Live input matched against one
        stored template                        – Perform 1:1 match
                                            • IdentifyMatch
• Discover User’s identity
                                               – Perform 1:N match against specified
  (1:many)                                       DB
   – Identify                               • Import
      • Live input matched against set of      – Imports non-real-time data for
        stored templates                         processing
Biometric Data Record

   Biometric Identifier Record (BIR)


         Header        Opaque Biometric Data              Signature




                                  Format
             Header      BIR                               Purpose    Factors
Length                                          Quality
             Version     Type   Owner      ID               Mask       Mask
Optional Capabilities

• Return of raw/audit data   • Return of FRR
• Return of quality          • Model adaptation
• Application-controlled
  GUI
                             • Binning
• GUI streaming callbacks    • Client/server
• Detection of source          communication
  presence                   • Self-contained
• Payload carry                device
• BIR signing
• BIR encryption
BioAPI Features

• Standardizes functions PLUS
   – Standard biometric data record format (CBEFF)
   – Normalizes scoring & thresholding
• Rich feature set supports:
   –   True client/server implementations
   –   Model adaptation
   –   Application control of GUI
   –   App or BSP/internal database options
   –   Data payloads
   –   Configuration flexibility through basic and primitive
       operations
Open Systems

• Platform (OS) independent
  –   Designed for use in any environment
  –   Supports cross-platform implementations
  –   Heterogeneous environments
  –   Can support Windows, Unix, Linux, Java
• Open system standards provide:
  –   Broader market for biometric technologies
  –   Lower risk to integrators & end users
  –   Adds flexibility
  –   Expands selections
Government support

• Government has called out BioAPI
  compliance as requirement:
  – GSA Smart Card program
  – Army Biometric Program Office
Human Recognition Services (HRS)

• Module extension to Common Data Security
  Architecture (CDSA) Open Group standard
• Will be consistent with BioAPI top level
• Supports user authentication within a security
  framework
• Biometrics used in conjunction with other
  security modules (cryptographic, dig cert, data
  libr)
• Capability to unlock secrets
• High level interface preferred
• Minimize security vulnerability points
CDSA Architecture


                                                  Applications

System                                 Layered Services, Middleware,
Security                            Language Interface Adapter, and Tools
Services

                                                CSSM Security API
Common                                  Core Services                              Elective Modules
Security
           Integrity




                                                                        Context
           Services




                                                                        Security
Services




                                                                         Mgmt
                       Cryptologic Trust Policy Cert Libr. Data Libr.                Key    Hum Rec.
Manager                 Svcs Mgr Module Mgr Mod Mgr Module Mgr                     Recovery Services
                           SPI        TPI         CLI        DLI                              SPI


Security                  CSP          TP        Cert.       Data                             BSP
Add-in                                Libr.      Libr.       Libr.
Modules
API contacts

• HA-API: www.biometrics.org
• BioAPI: www.bioapi.org
• UAS: www.intel.com/ial/security/specs.htm
• BAPI: www.iosoftware.com
• SVAPI: www.srapi.com
ANSI Sub-Committee X9F4

• X9 - Financial Services
   – X9F - Information & Data Security
      • X9F4 - Cryptographic Applications
         – X984 - Biometric Info. Mgmt. & Security
• X984 Scope
   – Security of biometric data across its life cycle
   – Management of the biometric data across its life cycle
   – Usage of biometric technology for verification and
     identification banking customers and employees
   – Application of biometric technology for physical and logical
     access controls
   – Encapsulation of biometric data
   – Techniques for securely transmitting and storing biometric
     data
   – Security of the physical hardware used throughout the
     biometric life cycle
X984 Requirements

1. Mechanisms … to maintain the data integrity of biometric data and
   verification results between any two components:
          Cryptographic mechanisms such as a MAC or digital
           signature,
          physical protection where no transmission is involved
           and all components reside within the same tamper
           resistant unit
2. Mechanisms … to authenticate the source of the biometric data
   and verification results, between the sender and receiver
   component:
          Cryptographic mechanisms such as a MAC or digital
           signature
          Using physical protection where no transmission is
           involved and all components reside within the same
           tamper resistant unit
3. If desired, mechanisms … to ensure the confidentiality of the
   biometric data during transmission
X984 Principles of Biometric Management



           Data
         Collection                            Signal
                                             Processing




                             Transmission




                                             Matching
             Storage




www.x9.org             jstapleton@kpmg.com
Biometrics & Smart Cards

• No standards . . . Yet
   – NSA R22 “Guidelines for Placing Biometrics in Smart Cards”
      • Ver 1.0, 9/15/98
      • Prepared for GSA Smart Card Group
• Groups working on this
   – Teletrust
      • German group
   – EuroSmart
   – SAPO
      • Japanese group
• ISO/IEC JTC1 /SC17 N 1864; ISO/IEC CD 7816-11
   – Information technology – Identification cards – Integrated
     circuit(s) cards with contacts – Part 11: Personal verification
     through biometric methods
   – Working draft dated 12-15-2000
ISO 7816-11

ISO/IEC 7816 consists of the following parts, under the
general title Information technology — Identification cards
- Integrated circuit(s) cards with contacts:

 Part 1: Physical characteristics,
 Part 2: Dimensions and location of contacts,
 Part 3: Electronic signals and transmission protocols,
 Part 4: Interindustry commands for interchange
 Part 5:Numbering system and registration procedure for application
identifier
 Part 6: Interindustry data elements
 Part 7:Interindustry commands for Structured Card Query Language
(SCQL)
 Part 8: Security related interindustry commands
 Part 9: Additional interindustry commands
 Part 10: Electronic signals and answer to reset for synchronous cards
 Part 11: Personal verification through biometric methods
Industry (non-technical) Standards

• IBIA member standards:
  – Use of biometrics only for legal, ethical, and
    non-discriminatory purposes
  – Highest standards of system integrity and
    database security to deter identity theft, protect
    personal privacy, and ensure equal rights
  – Professional courtesy among competitors
  – Truth in marketing (including accuracy claims)
  – Demonstration that products are safe,
    accurate, and effective
  – Commitment to principles of free trade
Too many standards?

• Not to worry . .
  – Many of the various groups are coordinating
    with each other
    • Data formats: CBEFF, BioAPI, X9F4
    • BioAPI has liaisons to most other industry
      groups
    • ANSI/AAMVA
Conclusion

• Standards activity indicators of widespread
  interest in biometrics
• Standards needed to grow the biometrics
  market, especially the commercial market
• Standards will:
  – Provide flexibility
     • As technology evolves
     • To accommodate a variety of situations
  – Drive biometrics to a commodity
  – Make biometrics plug-and-play
  – Lower implementation risk