biometrics in eb/eg and the role of the emerging bias standard cathy tilton – chair bias...
TRANSCRIPT
Biometrics in eB/eG and the Role of the Emerging BIAS Standard
Cathy Tilton – Chair BIAS Integration TCVP, Standards & Emerging Tech, Daon
Matt Swayze – Project Editor, BIAS (INCITS)Senior Solutions Architect, Daon
www.oasis-open.org
Questions to be answered
How do newer technologies like biometrics fit into today's eB/eG & SOA environments?
What standards support its use? How will the new Biometric Identity Assurance
Services (BIAS) help?
www.oasis-open.org
Biometrics
www.oasis-open.org
Biometrics - Uses Large Government
Law enforcement Forensics Background checks Prisons
• Inmates, visitors, guards Defense
Perimeter security, weapons systems, networks, red force identification
Refugee handling Civil
Credentialing programs Border management
• Pre-entry, Entry, Exit, Status Management/ Benefits
Transportation security Critical Infrastructure Protection Schools
Commercial Access Control
Physical access Logical access Employee credentialing
Health Care Med records (HIPAA) Patient ID Pharmacy
Finance Teller sign-on Transaction auditing Virtual branch Check cashing/POS
Manufacturing IP protection Manuf. Control
Events e.g., Olympics
www.oasis-open.org
Needs for eB/eG
2Primary Needs
Generic BiometricServices
Integrated Authentication
Services
www.oasis-open.org
How biometrics work
Enrollment:
Verification:
Presentbiometric
Match
No Match
Presentbiometric
Compare
ProcessProcessCaptureCapture
CaptureCapture ProcessProcess
Store
www.oasis-open.org
Generic requirements Manage biometric & associated biographic data
for a given subject/population Perform biometric operations (e.g., searches)
against a population(s)
www.oasis-open.org
Authentication requirements Perform biometric operations & utilize results
within an authentication protocol e.g., Integrate within SAML, WS-S, etc.
Accommodate multiple authentication architectures (i.e., local, server based) Use of biometric to release authentication
token/assertion Biometric verification server
Note: INCITS M1 Study on Biometrics in E-Authentication.
www.oasis-open.org
SubscriberIdentity +Biometric
• Identity proofing• Enrolls biometric
• Register Biometric• Build Credential (bind identity to ref. biometric)
Est. Identity+ biometric
Credential
• Applies
Credential
ClaimantClaimed identity+ Live biometric
• Verifies identity (through biometric matching)
• Checks authorization• Grants access
Assertion
Access
• Requests access
BiometricAuthentication
Server
Registration/Enrollment
Authentication
Process modification of SP800-63.
www.oasis-open.org
Plan of attack Define basic services (INCITS) Define first binding (OASIS)
Future – Define additional bindings (e.g., ebXML, fastweb,
etc.) Address use within authentication/security protocol Extend base capabilities (e.g., notifications)
www.oasis-open.org
Standards Biometric standards
BIAS ANSI/INCITS & ISO
Data formats CBEFF BioAPI, BIP
Justice NIEM/GJXDM EFTS/NIST
Other standards WS* SOAP/HTTP Security
WSS, SAML ISO/IEC 19092 ISO SC27 work
• ACBio Biographics
ANSI/NIST, GJXDM CIQ, HR-XML,
UN/CEFACT
www.oasis-open.org
Biometric Identity Assurance Services (BIAS)
In reviewing the current biometric-related standards portfolio and system oriented architecture (SOA) references, it became apparent that a gap existed in the availability of standards related to biometric services.
Biometric Applications Biometric Resources
?ANSI/NIST-ITL 1-2000/7 ?
BioAPI/BIP ?
Other ?
www.oasis-open.org
BIAS – Driving Requirements Provide ability to remotely invoke biometric operations
across an SOA infrastructure, decoupling the service from the interface (and requester) that calls it.
Provide business level operations, without constraining the application/business logic that implements those operations.
Provide basic capabilities that can be used to construct higher level, aggregate/composite operations.
Be as generic as possible – technology, framework, and application domain independent.
www.oasis-open.org
INCITS & OASIS Collaboration Development of the BIAS standard requires expertise in two distinct
technology domains to ensure that the final specification provides the right structure, functionality, and technical details:
Biometrics, with standards leadership provided by INCITS M1 Service Architectures (initially focused on Web services), with standards
leadership provided by OASIS Close collaboration between both standards organizations is required:
Existing standards are available in both domains and many of these standards will provide the foundation and underlying capabilities upon which the biometric services depend.
INCITS M1 OASIS Define “taxonomy”:
Identity assurance operations Data elements
Define Web services bindings: Schema Protocol
www.oasis-open.org
Goals BIAS will provide an open framework for deploying and
invoking biometric-based identity assurance capabilities that can be readily accessed using services-based frameworks.
BIAS will provide a generic set of biometric (and related) functions and associated data definitions to allow remote access to biometric services.
BIAS will specify a set of patterns and bindings for the implementation of BIAS operations using Web services within service-oriented architectures.
www.oasis-open.org
BIAS System Context (INCITS M1) BIAS services are modular and
independent operations which can be assembled in many different ways to support a variety of business processes.
BIAS services may be implemented with differing technologies on multiple platforms.
BIAS services can be publicly exposed directly and/or utilized indirectly in support of a service-provider’s own public services.
www.oasis-open.org
BIAS System Context (OASIS) Defines an XML
messaging protocol to implement the “abstract” services specified in INCITS M1.
Defines request, response, acknowledgement, notification, and fault messages (as applicable) for each of the “abstract” services
www.oasis-open.org
BIAS Services Subject
Create/delete subject Add/remove subject from
gallery Biographics
Set/list biographic data Update/delete biographic
data Retrieve biographic data
Biometrics Set/list biometric data Update/delete biometric data Retrieve biometric data
Searching/processing Verify subject Identify subject Check quality Classify biometric data Perform fusion Transform biometric data
Aggregate services Enroll Identify Verify Retrieve information
www.oasis-open.org
Process flow – border mgmt example
StartIdentifySubject
…
MatchFound?
SetBiographic
Data
SetBiometric
Data
SetBiographic
Data
SetBiometric
Data
CreateSubject
AddSubject To
GalleryFinish
Finish
No
Yes
Save and Associate Encounter
Create New Subject
Known Subject?
www.oasis-open.org
Example eG use case Registered Traveler Program
RT is a trusted passenger program to expedite and enhance security screening of passenger participants
Travelers must apply to enroll in the program via a service provider, which collects biographic and biometric information as part of the application process
The TSA conducts a Security Threat Assessment on all applicants
If approved, a traveler is issued an RT card containing authentication information
In operational use, a cardholder is verified to ensure legitimacy using fingerprint or iris biometrics
www.oasis-open.org
RT – Functional Flow
The Enrollment Provider collects biographic and biometric information from an RT Applicant and transmits it to the CIMS (Steps 1 and 2)
The CIMS formats and transmits the data to the TSA (Step 3). The TSA conducts a Security Threat Assessment at application and re-vets on a
perpetual basis (Step 4) and transmits an approved or not approved finding back to the CIMS (Step 5).
The CIMS informs the Enrollment Provider of acceptance or non-acceptance (Step 6), and the Enrollment Provider informs the RT Applicant and issues a card with the authentication payload created at the CIMS if he or she is approved (Step 7).
When an RT Participant travels through a participating airport, they use the RT card at an RT verification station which confirms the individual’s current status in the RT program (Step 8).
www.oasis-open.org
Applying BIAS to RT – Step 1
Pre-Enrollment Each traveler applying for an RT card may, if supported by the Enrollment
Provider, pre-enroll This involves accessing a web-site and entering biographic data. This data is
stored for the applicant. BIAS Services
Create Subject Add Biographic Data
www.oasis-open.org
Applying BIAS to RT – Step 2
Enrollment Complete the enrollment process by reviewing biographic information supplied
at pre-enrollment and collecting biometric information BIAS Services
(EP Internal) Retrieve Biographic Data (EP Internal )Update Biographic Data (if any edits to biographic information) (EP Internal) Set Biometric Data (CIMS interface) Enroll
www.oasis-open.org
Applying BIAS to RT – Steps 3-6
Registration, Vetting Coordination, and Card Payload Generation Submit a request to TSA for a Security Threat Assessment
BIAS Services (CIMS internal) Create Subject (CIMS internal) Set Biometric Data (TSA interface) Identify (CIMS internal) Add Subject to Gallery
www.oasis-open.org
Applying BIAS to RT – Step 7
Create Card If all enrollment processing completes with no adverse
information, resulting in an “approval” decision, then the RT card may be issued
BIAS Services (EP internal) Add Subject to Gallery
www.oasis-open.org
Applying BIAS to RT – Step 8
Verification The traveler’s biometric is captured and compared against
the biometric information stored on the card BIAS Services
(EP internal) Verify Subject
www.oasis-open.org
Example eB use case – Online Banking Overview:
An individual has an existing bank account at XYZ Bank and would like to access this account information and perform transactions.
In lieu of a password, the bank has configured their online banking web application to use biometric verification.
The account holder uses a home PC with a biometric device (e.g., an iris camera) installed.
Two situations described: Enrollment: associated biometric information with the account Account Access: access the account using a biometric as the method of
verification
Note: This example could also be structured using biometrics as a front-end to a traditional authentication protocol.
www.oasis-open.org
Online Banking – Enrollment
Account Holder XYZ Bank
(1) One-time biometric enrollment password
(2) Verify password and initiate biometric enrollment
(4) Submit biometric information [Set Biometric Data]
(3a) Capture biometric information(3b) Perform local 1:1 verification
(1) The bank has issued the individual a one-time password to allow the account holder to enroll biometric information into the system.
(2) The individual accesses the online banking site and selects ‘biometric enrollment’. The individual enters the account number and one-time password to access this function. Once verified, the enrollment application is initiated.
(3) The individual follows the steps to capture biometric data and to perform a local 1:1 match against that data to ensure it will be matchable.
(4) Once suitable data is acquired, it is submitted to the bank as an enrollment [Set Biometric Data].
www.oasis-open.org
Online Banking – Account Access
Account Holder XYZ Bank
(1) Access online banking system
(3) Submit biometric information [Verify Subject]
(2) Capture biometric information
(1) The account holder accesses the online banking site and enters the account number. At this point, the individual is challenged to present a biometric (e.g., capture iris data).
(2) The individual interacts with the device to capture the biometric data.(3) The biometric data is transmitted to the bank for verification [Verify Subject]. If the
verification is successful, the bank will provide access to the transaction screens for the individual's account.
www.oasis-open.org
Status INCITS project 1823-D, BIAS
Essentially complete Expected to go to public review in April timeframe Latest draft (Rev 4):
http://www.incits.org/tc_home/m1htm/2006docs/m1061071.pdf OASIS document: BIAS Messaging Protocol
Working draft – WSDL complete, gaps in other areas Latest draft (Ed draft 0.8):
http://www.oasis-open.org/committees/download.php/22543/bias-1%200-biasmp-ed-08.pdf
WSDL: http://www.oasis-open.org/committees/download.php/22544/bias.wsdl
Goal: Ready for review by Fall 2007