Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trends of Biometrics Technology Standardization

Similar presentations


Presentation on theme: "Trends of Biometrics Technology Standardization"— Presentation transcript:

1 Trends of Biometrics Technology Standardization
ITU-T Workshop on Security Trends of Biometrics Technology Standardization 14 May 2002 Naohisa Komatsu Waseda University, Japan Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

2 Authentication process
user user authentication terminal terminal authentication network system cryptosystem Knowledge-based : Threat of forgetting e.g. password Possession-based : Threat of loss e.g. card Individual characteristics : No threat of forgetting or loss e.g. fingerprint, voice, handwriting Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

3 Parameters for User Authentication
Individual characteristics knowledge possessions physiological characteristics behavioral characteristics password ...... key,ID card ...... fingerprint,face hand,eye handwriting,voice keystroke threat of forgetting threat of loss change through time passing ? stored data = input data stored data → personal features input data → personal features a. ? ? stored data = input data b. Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

4 Characteristics of Biometrics (OMRON Corp.)
Distance between system and user number ideal high 0.5m 10-4% Iris Retina Each biometrics has its own merits or demerits. There are no ideal biometrics. Pattern of vein 0.01m 0.01% accuracy Fingerprint 0.1% Face 1~3m Hand geometry Signature 1% 0.1m Voice Finger geometry low low acceptability high Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

5 The Standardization of Biometrics Technologies
Why standardization is necessary? Data format (CBEFF) and Application Program Interface (BioAPI) Security requirements (X9.84) Accuracy test (Best Practice) Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

6 Needs of Standards To accelerate fair competition by clarifying vulnerability and countermeasures. Accuracy test Standards for applying biometrics To reduce the cost of system development Application program interface Data format For effective development through common framework for biometric system. Common Criteria Privacy guideline Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

7 Goal of BioAPI & CBEFF Data interoperabity:CBEFF
Program interoperability:BioAPI Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

8 Purpose of BioAPI Purpose Scope
Interoperability and development cost reduction of biometric authentication systems. Providing a high-level generic biometric authentication model Authentication/Identification, Server/Client Scope Any form of biometric technology Enrollment,authentication,identification,databaseinterface Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

9 History of BioAPI NIST merged HA-API, BAPI and BioAPI. 1997 1998 1999
2000 2001~ I/O Software joined BioAPI consortium BAPI 1.0 Former BioAPI DRAFT BioAPI Specification Ver.1.0 BioAPI Specification Ver.1.1 HA-API 1.0 HA-API 2.0 BioAPI Reference Implementation Ver1.0 Beta BioAPI Reference Implementation Ver1.1 NIST:National Institute of Standards and Technologies HA-API: Human Authentication API Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

10 Outline of BioAPI Structure Application API BioAPI Framework SPI SPI
API:Application Program Interface Middleware mediates between API & SPI ・Reference implementation for windows is available BioAPI Framework SPI SPI SPI SPI:Service Provider Interface BSP BSP BSP BSP:Biometrics Service Provider Biometric function provided by technology vendors Device Device Device Biometric Device fingerprint scanner, camera, etc... Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

11 Outline of CBEFF Purpose History Publication
Interoperability between different systems. Accommodation to any biometric technology. History Sponsor NIST ITL,Biometrics Consortium Developing organization CBEFF Technical Development Team Cooperating with BioAPI Consortium,X9.F4 Working Group,IBIA,TeleTrustT Publication NISTIR6529 “Common Biometric Exchange File Format” (NIST, January 3, 2001) NIST ITL:Information Technology Laboratory IBIA:International Biometric Industrial Association Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

12 CBEFF Data Structure Includes three blocks
SBH (Standard Biometric Header) Header of CBEFF file BSMB(Biometric Specific Memory Block) Contains the biometric data Vendors can place any biometric data directly into this block Biometric information, template, original header, etc... SB(Signature Block) Contains signature or MAC for integrity Optional SBH (Standard Biometric Header) BSMB (Biometric Specific Memory Block) SB (Signature Block) Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

13 Relation Among Standardizations
The standardizations are progressing to convergence on BioAPI and CBEFF BioAPI Specification ver.1.1(2001/3) “CBEFF” NISTIR6529(2001/1) BioAPI BAPI merged into ANSI X9.84 HA-API adoption adoption CBEFF ISO ANSI X9.84: Operating requirements for biometrics authentication systems for the financial industry considering adoption Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

14 Outline of X9.84 Approved in March, 2001 by committee on Financial Services, X9 and subcommittee on Information Security, X9F. A standard of biometric data management and security for financial biometric system. X9.84 specifies Security requirements of enrollment, verification/identification, storage, termination,etc... Template format compatible with CBEFF Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

15 Requirements of X9.84 Common requirements of data management in enrollment, verification/identification, storage, termination, etc... To maintain the integrity of biometric data and verification results To mutually authenticate between sender and receiver component of biometric data and verification results. To ensure the confidentiality of the biometric data Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

16 Initial Enrollment for Example
Enrollment Model Data Collection Signal Processiong Storage Matching Mechanism and procedure shall be in place to Authorization to perform the enrollment process Authentication of the enrollee Maintain integrity and authenticity of templates Meet level 2 physical security requirement in a controlled environment and level 3 in an uncontrolled environment. Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

17 Outline of “Best Practice”
Purpose To provide the best method for the accuracy test of biometric system in real world Scope Any biomerics and application Features Experimental evaluation Three test methods depending on the aim of evaluation Technology evaluation: algorithm Scenario evaluation: Specific system assumed by an evaluator Operational evaluation: Running system Definition of experimental condition How to select subjects, to collect biometric data, to match them… Representation of performance ROC curve for accuracy Failure to enroll and acquire for usability Detailed report for repeatability Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

18 The Standardization of Biometrics Technologies in Japan
 Position of INSTAC/AIM/JBAA  Activities of JBAA  Operating Requirements Decision Guideline  Vulnerability of Biometrics Technologies  Biometrics and PKI  Biometrics and Privacy Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

19 Standardization Activities in Japan
1996 1997 1998 1999 2000 2001 2002以降 ECOM WG6 Accuracy Test JIS-TR △V0.5  △Evaluation criteria for biometrics authentication V1.0 JIS-TR△    △ IPA Project △ Accuracy Test Guideline △ ORD Guideline 1994 CC V1.0 JBAA BDPP,X9.84 1995 BS7799 ECOM:Electronic Commerce Promotion Council of Japan IPA:Information-technology Promotion Agency,Japan INSTAC:Information Technology Research and Standardization Center JIS:Japanese Industrial Standard JBAA:Japan Biometric Authentication Association CC:Common Criteria BS7799:British Standard7799 BDPP:Biometric Devices Protection Profile ORD: Operating Requirements Decision Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

20 Position of INSTAC,AIM,JBAA
ASIA Committee BEAM: Biometrics EnAbled Mobile Commerce Bio WG Taiwan Bio WG Malaysia BEAM Consortium SIngapore Asia Biometrics Joint Meeting Korea Biometrics Association(KBA) JBAA AIMJ Biometrics Working Group INSTAC/JSA Biometrics Consortium ISO/IEC SC17/SC27 EU/USA Committee (International) Standardization INSTAC/JSA : Information Technology Research and Standardization Center / Japanese Standards Association AIM : Automatic Identification Manufactures Association, Japan JBAA: Japan Biometric Authentication Association Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

21 How to Expand Biometrics Market?
Based on different methods and data for accuracy test Publication of the best results Standardization of accuracy test is important. IPA/Hitachi Project ’99 (16 companies) (2) Cost effectiveness?(Business) (3) User acceptability?(Social) (1) Accuracy?(Technology) Solution for market creation is necessary. Image processing → Security technology - Few examples - Indefinite requirements for security, convenience, etc. IPA: Information-Technology Promotion Agency,Japan Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

22 Outline of Complete Activities
ECOM Personal Authentication WG April/1996~March/1998 Examine the scheme of the test and evaluation and the personal authentication model using biometrics (www.ecom.or.jp) IPA/Hitachi National Project January/1999~December/1999 Examine the standards scheme of accuracy test and operation requirements sponsored by IPA(MITI) (www.sdl.hitachi.co.jp/ipa_biotest/ipa/english.htm) ECOM: Electronic Commerce Promotion Council of Japan MITI: The ministry of International Trade and Industry IPA: Information-technologies Promotion Agency of Japan Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

23 Outline of Current Activities
Standardization activities are done in two organizations (1) Biometrics WG of INSTAC/JSA “Make a Standardization of test and evaluation of biometrics device and system in Electronic Commerce application” (2) Biometrics WG of AIM “Enlighten the biometrics technology and research the biometrics market” (3) Biometrics WG of JBAA Discussion about implementation of “Biometric Authentication Authority” which provides network type biometric identification Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

24 Biometrics WG of INSTAC/JSA
Purpose   The standardization of the biometrics authentication technologies is done in Electric Commerce application Members of WG   Chairman : N. Komatsu(Waseda Univ.)   Members : METI, Animo*, Casio, Fujitsu, Hitachi*, KDDI, Matsushita, MELCO, NEC, NTT-data* , OKI, Sony, Toshiba, etc.    * : Working Group leader Contents of activities   (1) Draft Japanese Industrial Standards of Test and Evaluation    (Physical and behavioral characteristics)   (2)Liaison with ISO/IEC JTC1/SC17 Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

25 Guidelines for requirements decision
Purpose of The Project Guidelines for accuracy test Vendors Users Proposal Guidelines for requirements decision guide for Design Evaluation method Valuation basis Requirements decision Creation of real-based biometric market Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

26 Policy of Accuracy Test
(1) Objective evaluation for multiform products, various evaluators “viewpoints” and individual tests (2) Common basis with Europe and America ・Japanese accuracy test could be accepted ・Refer to proposals of NBTC about mathematical basis (3) Focus on fingerprint based authentication systems Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

27 Classification of Functional Structures
Authentication system Verification Device Fingerprint capture Fingerprint Matcher Output distance Verification Device Fingerprint Fingerprint capture Fingerprint Matcher Image enhancement Feature extraction Templates Matching functions Output distance Fingerprint Matcher Distance Authentication system Parameters Decision function Verification Device Decision function Output result Result (True/False) Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

28 Definition of Test Items
Test process Defined Items Guidelines for accuracy tests start ・Collection environment ・Number of fingers ・Number of fingerprints ・Experimental subjects ・Training to input finger Accuracy Test Software Fingerprint Collection ・Combination of genuine ・Combination of imposter Verification Accuracy Calculation ・Calculation methods ・Result description ・ROC Curve ・Availability Rate Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

29 Results Description FMR & FNMR as ROC curve Availability rate
Calculated at each threshold or parameters Described by a logarithmic ROC curve Availability rate Rate of persons who can use the product 0.1% False Non-Match Rate(FNMR) False Match Rate(FMR) 0.01% Distance (t) Frequency Genuine hi (t) Imposter hg (t) Threshold Th FMR FNMR Distance Distribution ROC Curve Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

30 Comparison with Best Practice
Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

31 Comparison with Best Practice
Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

32 Outline of the ORD Guideline
(1) The guidelines provide the methods to decide the requirements for application (2) Investigation of applications using authentication 6 fields (Finance, Public, Medical, PD/Retail, Housing,etc.) Hearing from 50 users (3) Application model leads requirements on usability (4) Risk analysis leads requirements on security ORD: Operating Requirements Decision Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

33 Security Level Classification
Usability Safety Level (H) (M) (L) Criterion ・Very Highl Risk ・Relation to Social Safety ・High Risk ・Relation to Social Trust ・Low Risk ・No necessary Security Example Applications ・Area Control in Nuclear Power Plant ・Area Control in Mint Bureau ・Access Control for Arms ・Area Control in Smart Card Issuer ・Access Control of CA’s Private Key ・Area Control in Bank ・Immigration ・Access Control of Smart Card ・Debit/Credit Card ・Remote Banking ・Medical chart ・ATM ・DB in Enterprise ・PC Log in ・Entrance of Apartment ・Attendance of Office ・User Tracking ・Observing FAR(:ex) 1%~0.01% About 1% Expression FRR takes first priority FRR FAR takes first priority Functional Requirements Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

34 Model Classification for Biometric Applications
①Access Control ②Flow Control Real Space Electronic Space Protected Space (Physical or Electronic) Real Space Authenticate Authenticate Safety Value ・Signature ・Seal e-Doc Flow of Sanction ③Tracking Real Space Electronic Record(Log) ID Place Time Authenticate Usability Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

35 Procedure of ORD Start Model Classification Functional Requirements
Specification Threats Analysis Value Evaluation Occurrence Rate Value Risk Analysis Security Level Classification Usability Requirements Safety Requirements C B Adjustment Report of device: A Evaluation Requirements Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

36 Japan Biometric Authentication Association
Object To create the fair biometric market, JBAA Investigates problems of standardization of biometric authentication Proposes activities for standardization, promote projects for common framework by academic, business, and governmental circles Agenda (1) Interoperability   ・Investigation of standardization of data format and API   ・Clarifying PKI model (2) Performance   ・Investigation of standardization for accuracy test   ・Investigation of privacy and other compliance (3) Assurance   ・Investigation of security standardization and protection profiles   ・Investigation of operating requirements decision guideline and proposal of a draft.   ・Clarifying policy for examination of vulnerability Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

37 Activities of Technology WG of JBAA
Purpose - System integrators/users can select appropriate biometric devices Term - Sep now Members - Hitachi, Omron, Oki, Mitsubishi, Computer Associates, Japan Telecom, NEC, Secure Generation, Sharp, Secom, Cyber Sign, Waseda university etc. Outline of project   (1) Research of biometric technologies   (2) Discussion about problems of service/business model   (3) Comprehensive discussion about common technical problems for      standardization   (4) Experiment to verify above problems Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

38 Privacy Consideration
Biometric information can be easily stolen and forged → Vulnerability Biometrics is the ultimate privacy data Privacy protection in X9.84 is based on HIPAA (Healthcare Insurance Portability and Accountability Act). Act on the prohibition of unauthorized access to computer systems (Feb, 2000) bans dishonest acquisition and use of identification code. Biometrics fall under this category. We should make a privacy guideline for biometric authentication systems and lead system integrator and operator to a better understanding of privacy. Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

39 Vulnerability Consideration
What’s “Vulnerability” for information systems? Characteristic of the system causes the system not to perform the requirement designed. Vulnerability for Biometric authentication systems is… The characteristics causes impersonation The characteristics causes the impediment of the system availability For secure biometric authentication systems To define all of the vulnerability on the system To define the risk of every vulnerable characteristic To define the countermeasure of the vulnerable characteristics Need for definition of the vulnerability of biometric systems Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

40 Examples of The Vulnerability for Biometric Authentication Systems
Biometrics specific vulnerability False Acceptance rate Artificial biometric object Hill-climbing attack etc… Common vulnerability for information system Forgery or alternation of Template data of users Matching software Result of the matching Electronic Biometric data Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

41 Comparison of PKI/Biometrics Models
Client Model Server Model Basic model Authentication server Model Templates are stored in Client BCA Verified in Application Authentication server Digital authentication in Security Requirements ・Confidentiality in client ・Consistency with PKI ・Integrity of biometric info. ・ Consistency with PKI Suitable model should be selected according to various system requirements Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

42 Server Model (Basic Model)
PKI based authentication →Biometrics authentication CA User Certificate CA Certificate (1)Challenge code Secret key BCA Certificate (2)User signature, Certificate & biometrics CRL Biometric Data Input biometrics & Sign Verification of Signature & Biometrics User Template BCA (3)Service Template Database Client Terminal Application Server Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

43 Client Model( Basic Model )
Biometrics authentication → PKI based authentication CA User Certificate (1) Challenge code Secret key CA Certificate Biometric Data CRL (2) User signature & Certificate Biometric Verification & Sign Signature Verification User Template (3) Service BCA Application Server Client Terminal Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

44 Biometric Authentication on Mobile Phones
- Server Model - BCA Biometric Certificate Database CA Certificate Mobile phone ③ Biometric Certificate Base Station Carrier Net IP Network ①Challenge code   Application Server ② Signature,Certificate,fingerprint data CA Certificate ④Service Biometric Data Signature Verification Certificate Biometric Verification Secret key Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University. Sign UIM

45 PKI Certificate Authority
Biometric Authentication Authority (Japan Telecom) Biometric Authentication Authority PKI Certificate Authority Biometric DB Verification Engine Biometric Authentication Server ⑤ Verification ⑥ Result ④ Authentication   Request EC Sites ⑥ Result Biometric Data ② Authentication   Request Client ① Access ③ Acquisition of   Biometric Data ・・・ Biometrics Signature Fingerprint Iris Voce Hand-geometry Face Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

46 Biometrics Campus (Mitsubishi Corp.)
User Authentication User Authentication User Authentication Holder Authentication COOP Issuing Machines for Certificates Safety Box Parking Lot Vending Machine Copy Machine ID Card(IC) Intra-CampusLAN Servers Workflow System for office workers Lecture Room     Labs/     Computer Rooms     Library/   Dormitory Library System Authentication Servers Home Campus Access Control for Intra-campus LAN Authorization Attendance Access Control Authentication On-line Attendance Internet Mobile Campus On-line Registration/ On-line inquiry Cell. Phone       Theater/       Restaurant/     Salon Ticketing Center Application for Parking Lot Satellite Campus On-line Registration for Certificates/ Student Discount User Authentication Student Discount User Authentication Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.

47 Study Items ■Standardization ・Operating requirement decision guideline
・Privacy consideration ・Vulnerability consideration ・Authentication model (PKI+biometrics) ・etc. ■Utilizing merits of biometrics ・Authentication without user’s consciousness ・Authentication with user’s feelings Copyright(C) 2002, All rights reserved. SDL, Hitachi, Ltd. and Waseda University.


Download ppt "Trends of Biometrics Technology Standardization"

Similar presentations


Ads by Google