state of biometric standards

Hosted by:June 23-26, 2003 • New York City

www.biometritechexpo.com

State of Biometric Standards

Jeff Stapleton, Manager

Information Risk [email protected]

(314) 444-1447Chair X9F4 www.x9.org

Chair WG10 www.tc68.org

2



Agenda – Biometric Standards

• Standards Bodies– International Standards Bodies– USA Domestic Standards Bodies

• State of the Standards– Past Achievements – Present Activity– Future Work in Progress

Whoare

they?

WhatArethey

doing?

3



International Standards Bodies

International Organization for Standardization

International ElectrotechnicalCommission

Joint TechnicalCommittee One

SC 17 Cards & Personal Identification

SC 17 Cards & Personal Identification

SC 27 IT Security Techniques

SC 27 IT Security Techniques

SC 37 Biometric Technology

SC 37 Biometric Technology

TC 68 Banking, Securities and Financial services

TC 68 Banking, Securities and Financial services

SC 2 Security and General Banking Operations

SC 2 Security and General Banking Operations

Formal Liaison RelationshipsRelative to Biometric Standards

4



Informal Bodies

USA Standards Bodies


International ElectrotechnicalCommission

Joint TechnicalCommittee One

AccreditedStandardsCommittee

USA National Standards Body

BioAPIConsortium

5



US Interactive Relationships

Financial Services Security

Financial Services Industry

Biometric Security

Retail Banking

Public Key Infrastructure

incits

IT SecurityT4

M1

B10

SC27

SC37

SC17

Biometric Technology

ID Card Technology

X9A

X9F

X9F5

X9F4

X9F6

TC68TC68

SC2

SC6

WG10

WG8

WG6 Retail Bank Card Security

Liaison RelationshipUS TAG RelationshipIndustry Relationship

6



ISO Overview

Established 1946

www.iso.ch – 146 National Standards Bodies– 94 Member Bodies

• USA is a Member Body with a National Standards Body – American National Standards Institute

• Over 200 Technical Committees – TC 1 Screw Threads …– TC 68 Banking and Financial Services …– TC 215 Health Informatics


7



TC 68 OverviewInternational Organization for Standardization

Develops international technical standards– Financial Services Industry– Including banking and securities

• Subcommittees www.tc68.org – SC 2 Security Management and General Banking Operations

• Biometrics, Public Key Infrastructure (PKI), Security Guidelines

– SC 4 Securities and Related Financial Instruments – SC 6 Retail Financial Services

• Including PIN management, key management, and cryptographic hardware devices used in the Retail Financial Services

• Cardholder at ATM and Point-of-Sale (POS) Terminals

8



JTC1 Overview

Established early 1980’s www.jtc1.ch – 38 Liaison Members– 94 National Member Bodies

• USA is a Member Body with a National Standards Body – American National Standards Institute

• 18 Active Subcommittees … – SC 17 Cards & Personal Identification INCITS/B10

– SC 27 IT Security Techniques INCITS/T4

– SC 37 Biometrics (established 2002) INCITS/M1

Joint Technical Committee One

9



JTC1/SC37 Overview

Established June 2002 www.jtc1– First meeting held December 2002– Scope is biometric technologies

• File formats, APIs, application profiles, testing…

– Excluded from SC37 scope• SC17 biometrics for cards and personal identification

• SC27 biometric security and evaluation methodologies

– Formal Liaisons include• SC37 to SC17

• SC37 to SC27

10



Overview

Founded in 1918 as a membership-based, not-for-profit organization, ANSI is …– A coordinator and facilitator of the U.S. voluntary consensus standards

and conformity assessment system

– An accreditation body for U.S. standards developers, U.S. Technical Advisory Groups and U.S. certification programs

– The forum for the U.S. standards and conformity assessment communities

• American National Standards (ANS) Developers – Currently more than 270 ANSI accredited standards developers,

representing 200 distinct entities

– Not all standards developed by these organizations are submitted for consideration as ANS

11



X9 Overview

Financial Services Industry www.x9.org – X9A Subcommittee on Retail Banking TC68/SC6– X9B Subcommittee on Check Processing– X9C Consumer Protection (established 2003)– X9D Subcommittee on Securities TC68/SC4– X9F Subcommittee on Information Security TC68/SC2

• X9F1 Cryptographic Tools• X9F3 Cryptographic Protocols• X9F4 Cryptographic Applications – X9.84 Biometrics• X9F5 PKI Policy and Practices• X9F6 Management and Security – Retail Banking

– X9 WG1 Privacy

Accredited Standards Committee

12



Overview

Information Technology Standards www.incits.org – Formerly X3 Committee– 36+ Technical Committees

• B10 Identification Cards and Related Devices SC17– AAMVA Driver License / Identification Standard

• J16 Programming Language C++ …• L3 Audio, Picture, Multimedia, and Hypermedia …• M1 Biometrics (established 2002) SC37

– ANS INCITS 358-2002 BioAPI, NISTIR 6529-A Common Biometric Exchange File Format (CBEFF)

• T4 Security Techniques … SC27– ASN.1 Extended Encoding Rules (XER)

incitsInternational Committee for IT Standards

13



INCITS/M1 Overview

Established 2001– 55+ Companies and organizations membership– US TAG to JTC1/SC37

• Task Groups (current organization)– M1.1 Biometric Data Interchange Formats– M1.2 Biometric Technical Interfaces – M1.3 Biometric Profiles – M1.4 Biometric Performance Testing and Reporting

14



Overview

Established 1993 www.oasis-open.org – Originally founded as SGML

• Standard Generalized Markup Language (SGML)

• Renamed in 1998 – Extensible Markup Language (XML)

– 600+ Corporate and Individual Members – 100+ Countries including United Nations (ebXML) – XML Common Biometric Format (XCBF) Technical Committee

• Established February 2002

• XCBF patron format of NISTIR 6529-A CBEFF

• XCBF based on ASN.1 schema in X9.84-2003

• XCBF conforms to XML Encoding Rule (XER) in X.693

• XCBF relies on X9.96-draft Cryptographic Message Syntax (CMS)

Organization for the Advancement of Structured Information Standards

15



Overview

Established 1995

www.biometrics.org – Co-hosted by NIST and NSA

• Focal point for biometric research…

• Operate discuss group [email protected]

• Operate information line 1-866-BIOMETRics (866-246-6387)

– Working Groups• Common Biometric Exchange File Format (CBEFF)

• Biometrics Interoperability, Performance, and Assurance

– NISTIR 6529-2001 CBEFF – NISTIR 6529-A-2002 CBEFF

16



Overview

Established 1998

www.bioapi.org – Focus was to harmonize the various biometric APIs

• BioAPI Specification version 1.0 – March 2000

• Reference implementation version 1.0 – September 2000

• BioAPI Specification & implementation version 1.1 – March 2001

• Working Groups– Applications (AWG) – top level interface of the BioAPI– External (XWG) – transition to other standards bodies– Reference Implementation (RWG) – reference implementation – Conformance Test (CTWG) – conformance test suite

BioAPI Consortium

17



ISO/IEC JTC1/SC17 FDIS 7816 Part 11

- - -

Existing StandardsUS StandardsISO/IEC JTC1 US SpecificationsISO TC68

OASIS XCBF ANS X9.84-2003 Biometric Security

ISO TC68/SC2 CD 19092 ballot

-

NISTIR 6529-A CBEFF 2002

ISO/IEC JTC1/SC37 CD ballot

--

ANS INCITS 358-2002 BioAPI

ISO/IEC JTC1/SC37 CD 19785 ballot

BioAPI 2001Version 1.1

-

AAMVA DL/ID 2000 -- -

WSQ 1993 FBI Fingerprint Compression

-- -

18



CBEFF

Biometric Architecture

BiometricServiceProvider

BioAPI Framework

ApplicationApplication

BIR

XCBF

Extended Markup Language (XML)

CryptographicServiceProvider

X9.84 Biometric Security

ASN.1

BiometricValidation

ControlObjectives

ICC

19



INCITS/M1 Work in Progress

M1.1 Task Group – Biometric Data Formats– Finger Pattern Based Interchange Format– Finger Minutiae Format for Data Interchange – Finger Image Based Interchange Format– Face Recognition Format for Data Interchange – Iris Interchange Format – Signature / Sign Image Based Interchange Format

• Digitized signature (not PKI digital signature)

• Low level data interoperability – Vendor “A” format captured by vendor “B” device– Vendor “A” format processed by vendor “C” system

20




M1.2 Task Group – Biometric Interfaces– INCITS 358-2002 BioAPI, NISTIR 6529-A CBEFF – Interoperability between biometric components & subsystems – Security mechanisms for stored and transmitted data

• X9.84-2003 Biometric Information Management and Security

– Reference model for multi-vendor systems

• High level process interoperability – Functional calls

• Fetch sample, Create template, Matching …

– Application calls • Enroll, Identify, Verify …

21




M1.3 Task Group – Biometric Profiles– Interoperability and Data Interchange, Biometric Based

Verification and Identification of…– Transportation Workers – Border Crossing – Point-of-Sale (POS)

• X9.84-2003 for the Financial Services Industry

• Industry specific needs– To be determined, initial meeting June 9-11 in Seattle WA

22




M1.4 Task Group – Performance and Testing– Biometric metric definitions and calculations – Testing performance – Test reporting

• Ongoing biometric technology issue…– False Match Rate (a.k.a., False Acceptance Rate)– False Non-Match Rate (a.k.a., False Reject Rate) – Failure to Enroll Rate– To be determined, initial meeting June 11 in Seattle WA

23



JTC1/SC37 Work in Progress

• SG 01 Harmonized Biometric Vocabulary– No specific M1 correlation

• SG 02 Biometric Technical Interfaces – M1.2 Task Group – Biometric Interfaces– US submission CD 19785 ballot comments BioAPI – US submission CD ballot comments CBEFF

• SG 03 Biometric Data Interchange Formats – M1.1 Task Group – Biometric Data Formats

Work sorted by Study Group / Special Group:

24



JTC1/SC37 Work in Progress

• SG 04 Biometric Application Profiles– M1.3 Task Group – Biometric Profiles

• SG 05 Biometric Testing and Reporting – M1.4 Task Group – Performance and Testing

• SG 06 Cross-Jurisdictional and Societal Aspects– No specific M1 correlation

Work sorted by Study Group / Special Group:

25



Other Work in Progress

TC68/SC2/WG10– CD 19092 in ballot (X9.84-2003) due August 2003

JTC1/SC27– Biometric security in cooperation with TC68/SC2

JTC1/SC17– ISO 7816 Information Technology – Identification Cards –

Integrated Circuit(s) Cards with Contacts • Part 11: Personal verification through biometric methods

International Civil Aviation Organization (ICAO)– Global Biometric Initiative with JTC1/SC17

26



Chronology SummaryPre-2000

– June 1993 – FBI Fingerprint Compression WSQ published

– November 1995 – Biometric Consortium established

– April 1998 – BioAPI Consortium established

– January 1999 – X9F4 assigned NWI X9.84

Year 2000– March 2000 – BioAPI Specification v1.0 published

– June 2000 – AAMVA Drivers License / Identification published

– December 2000 – ISO/IEC CD 7816 ICC Part 11 Biometrics ballot

27



Chronology Summary

Year 2001– January 2001 – NISTR 6529 CBEFF published

– March 2001 – ANS X9.84-2001 published (BioAPI v1.0)

– March 2001 – BioAPI Specification v1.1 published

– March 2001 – NIST 6529 CBEFF published

– November 2001 – INCITS/M1 established

– December 2000 – ISO/IEC DIS 7816 ICC Part 11 Biometrics ballot

Year 2002– February 2002 – NISTR 6529-A CBEFF published

– March 2002 – ANS INCITS 358-2002 (BioAPI v1.1) published

– March 2002 – CTST Linden Award presented to Cathy Tilton

– June 2002 – JTC1/SC37 established

– December 2002 – ISO/IEC FDIS 7816 ICC Part 11 Biometrics ballot

28



Chronology Summary

Year June 2003 (so far)– February 2003 – JTC1/SC37 CD 19785 ballot comments BioAPI

– February 2003 – JTC1/SC37 CD ballot comments CBEFF

– February 2003 – XCBF 1.0 Committee Specification published

– June 2003 – ANS X9.84-2003 Biometric Security published

– June 2003 – TC68 CD 19092 in ballot (X9.84-2003)

Year July 2003 and beyond…– ISO 7816 ICC Part 11 Biometrics

– ISO Standards on Biometric Technology

– ISO Standards on Biometric Security

– ISO Standards on Industry Applications

• Financial Services Industry

• Transportation Industry and government Immigration Services

29



Standards Conclusion

Significant advances in the last 36 months– ANS INCITS 358-2002 BioAPI– ANS X9.84-2003 Biometric Security– ISO FDIS 7816 ICC Part 11 Biometrics– NISTIR 6529-A CBEFF

Further work in the next 36 months– ISO Biometric Technology Standards– ISO Biometric Security Standards – ISO Biometric Application Standards

state of biometric standards

Documents