Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.1 Trends of Biometrics Technology Standardization 14 May 2002 Naohisa.

Similar presentations


Presentation on theme: "Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.1 Trends of Biometrics Technology Standardization 14 May 2002 Naohisa."— Presentation transcript:

1 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.1 Trends of Biometrics Technology Standardization 14 May 2002 Naohisa Komatsu Waseda University, Japan ITU-T Workshop on Security

2 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.2 Authentication process network system user terminal authentication user authentication cryptosystem Knowledge-based : Threat of forgetting e.g. password Possession-based : Threat of loss e.g. card Individual characteristics : No threat of forgetting or loss e.g. fingerprint, voice, handwriting

3 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.3 Parameters for User Authentication knowledgepossessions physiological characteristics fingerprint , face hand , eye handwriting , voice keystroke password key , ID card stored data → personal features input data → personal features stored data = input data ? ? Individual characteristics behavioral characteristics stored data = input data ? threat of forgetting threat of loss change through time passing a. b.

4 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.4 Characteristics of Biometrics (OMRON Corp.) Each biometrics has its own merits or demerits. There are no ideal biometrics. high accuracy acceptability low high low ideal 0 Retina Fingerprint Hand geometry 0.5 m Iris 0.1m Voice 0 Signature 1~3m Face number Finger geometry Pattern of vein 1% 0.1% 0.01% % 0.01m Distance between system and user

5 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.5 The Standardization of Biometrics Technologies Why standardization is necessary? Data format (CBEFF) and Application Program Interface (BioAPI) Security requirements (X9.84) Accuracy test (Best Practice)

6 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.6 Needs of Standards To accelerate fair competition by clarifying vulnerability and countermeasures. Accuracy test Standards for applying biometrics To reduce the cost of system development Application program interface Data format For effective development through common framework for biometric system. Common Criteria Privacy guideline

7 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.7 Data interoperabity : CBEFF Program interoperability : BioAPI Goal of BioAPI & CBEFF

8 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.8 Purpose of BioAPI Purpose Interoperability and development cost reduction of biometric authentication systems. Providing a high-level generic biometric authentication model Authentication/Identification, Server/Client Scope Any form of biometric technology Enrollment,authentication,identification,database interface

9 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.9 History of BioAPI NIST merged HA-API, BAPI and BioAPI. NIST:National Institute of Standards and Technologies HA-API: Human Authentication API ~ Former BioAPI DRAFT HA-API 1.0 HA-API 2.0 BAPI 1.0 BioAPI Reference Implementation Ver1.0 Beta BioAPI Specification Ver.1.0 I/O Software joined BioAPI consortium BioAPI Reference Implementation Ver1.1 BioAPI Specification Ver.1.1

10 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.10 Outline of BioAPI Structure Application BioAPI Framework BSP Device API SPI BSP : Biometrics Service Provider Biometric function provided by technology vendors SPI : Service Provider Interface API : Application Program Interface Biometric Device fingerprint scanner, camera, etc... Middleware mediates between API & SPI ・ Reference implementation for windows is available

11 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.11 Outline of CBEFF Purpose Interoperability between different systems. Accommodation to any biometric technology. History Sponsor NIST ITL , Biometrics Consortium Developing organization CBEFF Technical Development Team Cooperating with BioAPI Consortium , X9.F4 Working Group , IBIA , TeleTrustT Publication NISTIR6529 “ Common Biometric Exchange File Format ” (NIST, January 3, 2001) NIST ITL : Information Technology Laboratory IBIA : International Biometric Industrial Association

12 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.12 CBEFF Data Structure Includes three blocks SBH ( Standard Biometric Header ) Header of CBEFF file BSMB ( Biometric Specific Memory Block ) Contains the biometric data Vendors can place any biometric data directly into this block Biometric information, template, original header, etc... SB ( Signature Block ) Contains signature or MAC for integrity Optional SBH ( Standard Biometric Header ) BSMB ( Biometric Specific Memory Block ) SB ( Signature Block )

13 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.13 Relation Among Standardizations The standardizations are progressing to convergence on BioAPI and CBEFF BioAPI Specification ver.1.1 ( 2001/3 ) “CBEFF” NISTIR6529 ( 2001/1 ) BioAPI CBEFF ANSI X9.84 BAPI HA-API ANSI X9.84 : Operating requirements for biometrics authentication systems for the financial industry adoption merged into ISO considering adoption

14 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.14 Outline of X9.84 Approved in March, 2001 by committee on Financial Services, X9 and subcommittee on Information Security, X9F. A standard of biometric data management and security for financial biometric system. X9.84 specifies Security requirements of enrollment, verification/identification, storage, termination,etc... Template format compatible with CBEFF

15 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.15 Requirements of X9.84 To maintain the integrity of biometric data and verification results To mutually authenticate between sender and receiver component of biometric data and verification results. To ensure the confidentiality of the biometric data Common requirements of data management in enrollment, verification/identification, storage, termination, etc...

16 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.16 Initial Enrollment for Example Authorization to perform the enrollment process Authentication of the enrollee Maintain integrity and authenticity of templates Meet level 2 physical security requirement in a controlled environment and level 3 in an uncontrolled environment. Data Collection Signal Processiong Storage Matching Enrollment Model Mechanism and procedure shall be in place to

17 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.17 Outline of “Best Practice” Purpose To provide the best method for the accuracy test of biometric system in real world Scope Any biomerics and application Features Experimental evaluation Three test methods depending on the aim of evaluation Technology evaluation: algorithm Scenario evaluation: Specific system assumed by an evaluator Operational evaluation: Running system Definition of experimental condition How to select subjects, to collect biometric data, to match them… Representation of performance ROC curve for accuracy Failure to enroll and acquire for usability Detailed report for repeatability

18 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.18 The Standardization of Biometrics Technologies in Japan Position of INSTAC/AIM/JBAA Activities of JBAA Operating Requirements Decision Guideline Vulnerability of Biometrics Technologies Biometrics and PKI Biometrics and Privacy

19 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.19 Standardization Activities in Japan ECOM WG6 △ V0.5 △ Evaluation criteria for biometrics authentication V1.0 IPA Project △ Accuracy Test Guideline △ ORD Guideline Accuracy Test JIS-TR JIS-TR △ △ JBAA BDPP,X 以降 CC V BS7799 ECOM : Electronic Commerce Promotion Council of Japan IPA : Information-technology Promotion Agency,Japan INSTAC : Information Technology Research and Standardization Center JIS : Japanese Industrial Standard JBAA : Japan Biometric Authentication Association CC : Common Criteria BS7799 : British Standard7799 BDPP : Biometric Devices Protection Profile ORD: Operating Requirements Decision

20 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.20 ASIA Committee ( International ) Standardization EU/USA Committee Biometrics Consortium Biometrics Working Group Bio WG Malaysia Bio WG Taiwan BEAM Consortium SIngapore BEAM: Biometrics EnAbled Mobile Commerce Korea Biometrics Association(KBA) JBAA Asia Biometrics Joint Meeting AIMJ INSTAC/JSA ISO/IEC SC17/SC27 Position of INSTAC,AIM,JBAA INSTAC/JSA : Information Technology Research and Standardization Center / Japanese Standards Association AIM : Automatic Identification Manufactures Association, Japan JBAA: Japan Biometric Authentication Association

21 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.21 How to Expand Biometrics Market? Solution for market creation is necessary. Image processing → Security technology - Based on different methods and data for accuracy test - Publication of the best results - Few examples - Indefinite requirements for security, convenience, etc. Standardization of accuracy test is important. IPA/Hitachi Project ’99 ( 16 companies ) IPA: Information-Technology Promotion Agency,Japan (2) Cost effectiveness ?( Business ) (3) User acceptability ?( Social ) (1) Accuracy ?( Technology )

22 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.22 Outline of Complete Activities (1)ECOM Personal Authentication WG April/1996 ~ March/1998 Examine the scheme of the test and evaluation and the personal authentication model using biometrics (www.ecom.or.jp) (2)IPA/Hitachi National Project January/1999 ~ December/1999 Examine the standards scheme of accuracy test and operation requirements sponsored by IPA(MITI) (www.sdl.hitachi.co.jp/ipa_biotest/ipa/english.htm) ECOM: Electronic Commerce Promotion Council of Japan MITI: The ministry of International Trade and Industry IPA: Information-technologies Promotion Agency of Japan

23 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.23 Outline of Current Activities Standardization activities are done in two organizations (1) Biometrics WG of INSTAC/JSA “Make a Standardization of test and evaluation of biometrics device and system in Electronic Commerce application” (2) Biometrics WG of AIM “Enlighten the biometrics technology and research the biometrics market” (3) Biometrics WG of JBAA Discussion about implementation of “Biometric Authentication Authority” which provides network type biometric identification

24 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.24 Biometrics WG of INSTAC/JSA Purpose The standardization of the biometrics authentication technologies is done in Electric Commerce application Members of WG Chairman : N. Komatsu(Waseda Univ.) Members : METI, Animo*, Casio, Fujitsu, Hitachi*, KDDI, Matsushita, MELCO, NEC, NTT-data*, OKI, Sony, Toshiba, etc. * : Working Group leader Contents of activities (1) Draft Japanese Industrial Standards of Test and Evaluation (Physical and behavioral characteristics) (2)Liaison with ISO/IEC JTC1/SC17

25 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.25 Creation of real-based biometric market Purpose of The Project Guidelines for accuracy test Guidelines for accuracy test Vendors Users Proposal Guidelines for requirements decision guide for Design Evaluation method Valuation basis Requirements decision

26 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.26 (1) Objective evaluation for multiform products, various evaluators “viewpoints” and individual tests (2) Common basis with Europe and America ・ Japanese accuracy test could be accepted ・ Refer to proposals of NBTC about mathematical basis (3) Focus on fingerprint based authentication systems Policy of Accuracy Test

27 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.27 Fingerprint capture Decision function Fingerprint Result (True/False) Result (True/False) Authentication system Verification Device Distance Image enhancement Feature extraction Templates Matching functions Output distance Fingerprint capture Fingerprint Matcher Output distance Verification Device Decision function Output result Verification Device Fingerprint Matcher Authentication system Classification of Functional Structures Fingerprint Matcher Fingerprint Matcher Parameters

28 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.28 start ・ ROC Curve ・ Availability Rate Guidelines for accuracy tests Fingerprint Collection Fingerprint Collection Verification Accuracy Calculation Accuracy Calculation Defined Items ・ Collection environment ・ Number of fingers ・ Number of fingerprints ・ Experimental subjects ・ Training to input finger ・ Combination of genuine ・ Combination of imposter ・ Calculation methods ・ Result description Accuracy Test Software Definition of Test Items Test process

29 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.29 Results Description FMR & FNMR as ROC curve Calculated at each threshold or parameters Described by a logarithmic ROC curve Availability rate Rate of persons who can use the product 0 0.1% False Non-Match Rate(FNMR) False Match Rate(FMR) 0.01% 0.1% 0.01% Distance ( t ) Frequency Genuine h i (t) Imposter h g (t) Threshold Th FMR FNMR Distance Distribution ROC Curve

30 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.30 Comparison with Best Practice

31 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.31 Comparison with Best Practice

32 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.32 Outline of the ORD Guideline (1) The guidelines provide the methods to decide the requirements for application (2) Investigation of applications using authentication 6 fields (Finance, Public, Medical, PD/Retail, Housing,etc.) Hearing from 50 users (3) Application model leads requirements on usability (4) Risk analysis leads requirements on security ORD: Operating Requirements Decision

33 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.33 Security Level Classification Usability Safety Level (H)(H)(M)(M)(L)(L) Criterion ・ Very Highl Risk ・ Relation to Social Safety ・ High Risk ・ Relation to Social Trust ・ Low Risk ・ No necessary Security Example Applications ・ Area Control in Nuclear Power Plant ・ Area Control in Mint Bureau ・ Access Control for Arms ・ Area Control in Smart Card Issuer ・ Access Control of CA ’ s Private Key ・ Area Control in Bank ・ Immigration ・ Access Control of Smart Card ・ Debit/Credit Card ・ Remote Banking ・ Medical chart ・AT M ・ DB in Enterprise ・PC Log in ・ Entrance of Apartment ・ Attendance of Office ・ User Tracking ・ Observing FAR(:ex) % 1 %~ 0.01 % About 1% ExpressionFRR takes first priority FRRFAR takes first priorityFunctional Requirements

34 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.34 ① Access Control Authenticate Value Real Space Protected Space (Physical or Electronic) ③ Tracking Authenticate IDPlaceTime Real Space ② Flow Control Electronic Space Flow of Sanction ・ Signature ・ Seal e-Doc Real Space Electronic Record(Log) Safety Usability Authenticate Model Classification for Biometric Applications

35 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.35 Requirements Procedure of ORD C B Risk Analysis Functional Requirements Specification Threats Analysis Occurrence Rate Safety Requirements Usability Requirements Evaluation Report of device: A Security Level Classification Adjustment Value Evaluation Model Classification Start

36 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.36 Object To create the fair biometric market, JBAA (1)Investigates problems of standardization of biometric authentication (2)Proposes activities for standardization, promote projects for common framework by academic, business, and governmental circles Agenda (1) Interoperability ・ Investigation of standardization of data format and API ・ Clarifying PKI model (2) Performance ・ Investigation of standardization for accuracy test ・ Investigation of privacy and other compliance (3) Assurance ・ Investigation of security standardization and protection profiles ・ Investigation of operating requirements decision guideline and proposal of a draft. ・ Clarifying policy for examination of vulnerability Japan Biometric Authentication Association

37 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.37 Purpose - System integrators/users can select appropriate biometric devices Term - Sep now Members - Hitachi, Omron, Oki, Mitsubishi, Computer Associates, Japan Telecom, NEC, Secure Generation, Sharp, Secom, Cyber Sign, Waseda university etc. Outline of project (1) Research of biometric technologies (2) Discussion about problems of service/business model (3) Comprehensive discussion about common technical problems for standardization (4) Experiment to verify above problems Activities of Technology WG of JBAA

38 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.38 Privacy Consideration Biometric information can be easily stolen and forged → Vulnerability Biometrics is the ultimate privacy data Privacy protection in X9.84 is based on HIPAA (Healthcare Insurance Portability and Accountability Act). Act on the prohibition of unauthorized access to computer systems (Feb, 2000) bans dishonest acquisition and use of identification code. Biometrics fall under this category. We should make a privacy guideline for biometric authentication systems and lead system integrator and operator to a better understanding of privacy.

39 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.39 Vulnerability Consideration What’s “Vulnerability” for information systems? Characteristic of the system causes the system not to perform the requirement designed. Vulnerability for Biometric authentication systems is… The characteristics causes impersonation The characteristics causes the impediment of the system availability For secure biometric authentication systems To define all of the vulnerability on the system To define the risk of every vulnerable characteristic To define the countermeasure of the vulnerable characteristics Need for definition of the vulnerability of biometric systems

40 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.40 Biometrics specific vulnerability False Acceptance rate Artificial biometric object Hill-climbing attack etc … Common vulnerability for information system Forgery or alternation of Template data of users Matching software Result of the matching Electronic Biometric data etc … Examples of The Vulnerability for Biometric Authentication Systems

41 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.41 Comparison of PKI/Biometrics Models Client ModelServer Model Basic model Authentication server Model Basic model Authentication server Model Templates are stored in Client BCA Verified inClient Application Authentication server Digital authentication in Application Authentication server Application Authentication server Security Requirements ・ Confidentiality in client ・ Consistency with PKI ・ Integrity of biometric info. ・ Consistency with PKI Suitable model should be selected according to various system requirements

42 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.42 Server Model ( Basic Model ) PKI based authentication → Biometrics authentication Verification of Signature & Biometrics Application Server BCA Certificate (1)Challenge code (2)User signature, Certificate & biometrics (3)Service CA CRL Input biometrics & Sign Client Terminal Secret key User Certificate User Template BCA Template Database CA Certificate Biometric Data

43 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.43 Client Model ( Basic Model ) Biometrics authentication → PKI based authentication Signature Verification Application Server CA Certificate (1) Challenge code (2) User signature & Certificate (3) Service Biometric Verification & Sign Client Terminal Secret key User Certificate User Template CA CRL BCA Biometric Data

44 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.44 Sign Secret key UIM Certificate CA Certificate Base Station CA Certificate Signature Verification ① Challenge code ② Signature,Certificate,fingerprint data Carrier Net Biometric Verification Mobile phone BCA Biometric Certificate Database IP Network ③ Biometric Certificate ④ Service - Server Model - Application Server Biometric Authentication on Mobile Phones Biometric Data

45 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.45 Biometric DB Biometric Authentication Server Biometric Authentication Authority Verification Engine PKI Certificate Authority Client ① Access ② Authentication Request EC Sites Biometric Data ④ Authentication Request ③ Acquisition of Biometric Data ⑤ Verification ⑥ Result ・・・ Biometrics SignatureFingerprintIrisVoce Hand- geometry Face ⑥ Result Biometric Authentication Authority (Japan Telecom)

46 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.46 Intra-Campus LAN Internet Satellite Campus Mobile Campus Home Campus Theater / Restaurant / Salon Theater / Restaurant / Salon Ticketing Center Biometrics Campus (Mitsubishi Corp.) COOP Issuing Machines for Certificates Issuing Machines for Certificates Lecture Room Copy Machine Safety Box Library System Library System Labs / Computer Rooms Library / Dormitory Labs / Computer Rooms Library / Dormitory Workflow System for office workers Student DiscountUser Authentication On-line Registration for Certificates/ Student Discount Parking Lot Authentication Servers Authentication Servers Access Control User Authentication AuthorizationAuthenticationAttendance On-line Attendance On-line Registration / On-line inquiry Access Control for Intra-campus LAN Application for Parking Lot Vending Machine Vending Machine User Authentication Cell. Phone User Authentication ID Card(IC) Holder Authentication

47 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.47 Study Items ■ Standardization ・ Operating requirement decision guideline ・ Privacy consideration ・ Vulnerability consideration ・ Authentication model (PKI+biometrics) ・ etc. ■ Utilizing merits of biometrics ・ Authentication without user ’ s consciousness ・ Authentication with user ’ s feelings


Download ppt "Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.1 Trends of Biometrics Technology Standardization 14 May 2002 Naohisa."

Similar presentations


Ads by Google