Biometric Use Case Models for Personal Identity Verification

Similar documents
IAB Minutes Page 1 of 6 April 18, 2006

TWIC Readers What to Expect

Match On Card MINEX 2

Physical Access Control Systems and FIPS 201

Interagency Advisory Board Meeting Agenda, February 2, 2009

Interagency Advisory Board Meeting Agenda, Wednesday, May 23, 2012

Multiple Credential formats & PACS Lars R. Suneborn, Director - Government Program, HIRSCH Electronics Corporation

FIPS and NIST Special Publications Update. Smart Card Alliance Webinar November 6, 2013

Revision 2 of FIPS 201 and its Associated Special Publications

Interagency Advisory Board Meeting Agenda, Wednesday, February 27, 2013

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Strategies for the Implementation of PIV I Secure Identity Credentials

Interagency Advisory Board Meeting Agenda, March 5, 2009

Securing Federal Government Facilities A Primer on the Why, What and How of PIV Systems and PACS

AWARD TOP PERFORMER. Minex III FpVTE PFT II FRVT PRODUCT SHEET. Match on Card. Secure fingerprint verification directly on the card

IMPLEMENTING AN HSPD-12 SOLUTION

IAB Minutes Page 1 of 6 January 18, 2006

Considerations for the Migration of Existing Physical Access Control Systems to Achieve FIPS 201 Compatibility

PIV Data Model Test Guidelines

Secure Solutions. EntryPointTM Access Readers TrustPointTM Access Readers EntryPointTM Single-Door System PIV-I Compatible Cards Accessories

Secure Government Computing Initiatives & SecureZIP

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Interagency Advisory Board (IAB) Meeting. August 09, 2005

(PIV-I) Trusted ID across States, Counties, Cities and Businesses in the US

Using the Prototype TWIC for Access A System Integrator Perspective

Secure Lightweight Activation and Lifecycle Management

TWIC / CAC Wiegand 58 bit format

Physical Access Control Systems and FIPS 201 Physical Access Council Smart Card Alliance December 2005

000027

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Paul A. Karger

Identiv FICAM Readers

CREDENTSYS CARD FAMILY

TWIC Reader Technology Phase

No More Excuses: Feds Need to Lead with Strong Authentication!

CBEFF. Common Biometric Exchange Formats Framework. Catherine Tilton. 6 March W3C Workshop on SIV

Single Secure Credential to Access Facilities and IT Resources

Biometric Center of Excellence (BCOE)

Unified PACS with PKI Authentication, to Assist US Government Agencies in Compliance with NIST SP (HSPD 12) in a Trusted FICAM Platform

I N F O R M A T I O N S E C U R I T Y

Smart Card Alliance Comments and Considerations on Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance

The Match On Card Technology

Interfaces for Personal Identity Verification Part 1: PIV Card Application Namespace, Data Model and Representation

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Quantitative Tests Supporting Standardized Biometric Data for Large Scale Identity Management

Interagency Advisory Board Meeting Agenda, Tuesday, November 1, 2011

State of the Industry and Councils Reports. Access Control Council

TWIC Reader Hardware And Card Application Specification May 30, 2008

Mobile ID, the Size Compromise

Changes to SP (SP ) Ketan Mehta NIST PIV Team NIST ITL Computer Security Division

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

I N F O R M A T I O N S E C U R I T Y

Biometrics. Overview of Authentication

I N F O R M A T I O N S E C U R I T Y

ISO/IEC INTERNATIONAL STANDARD. Information technology Biometric data interchange formats Part 4: Finger image data

Interagency Advisory Board Meeting Agenda, February 2, 2009

FiXs - Federated and Secure Identity Management in Operation

Velocity Certificate Checking Service Installation Guide & Release Notes

Guidelines for the Use of PIV Credentials in Facility Access

Biometrics & Smart Cards In Use Today

TWIC Transportation Worker Identification Credential. Overview

Leveraging HSPD-12 to Meet E-authentication E

Client Certificate Authentication Guide

NFC Identity and Access Control

Meeting the requirements of PCI DSS 3.2 standard to user authentication

Biometric Specifications for Personal Identity Verification

Version 3.4 December 01,

DHS ID & CREDENTIALING INITIATIVE IPT MEETING

Mandate. Delivery. with evolving. Management and credentials. Government Federal Identity. and. Compliance. using. pivclasss replace.

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop. Scalability: Dimensions for PACS System Growth

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD. Information technology Biometric data interchange formats Part 2: Finger minutiae data

NIST Tests Supporting Biometric Identification Applications

CSCE 548 Building Secure Software Biometrics (Something You Are) Professor Lisa Luo Spring 2018

Overview of cryptovision's eid Product Offering. Presentation & Demo

Overview of ANSI INCITS Fingerprint Standards on Data Interchange Format. Robert Yen DoD Biometrics Management Office 4 October, 2005

ID-One PIV (Type A) FIPS Security Policy. (PIV Applet Suite on ID-One Cosmo V7-n) Public Version

Managing PIV Life-cycle & Converging Physical & Logical Access Control

L-1 Fingerprint Reader Solutions. V-Flex 4G

Client Certificate Authentication Guide. June 28, 2018 Version 9.4

Helping Meet the OMB Directive

Role of Biometrics in Cybersecurity. Sam Youness

Technical Implementation Guidance: Smart Card Enabled Physical Access Control Systems Draft Version 2.3E

g6 Authentication Platform

There is an increasing desire and need to combine the logical access and physical access functions of major organizations.

US Federal PKI Bridge. Ram Banerjee VP Vertical Markets

PKI and FICAM Overview and Outlook

Strategies for the Implementation of PIV I Secure Identity Credentials

DATA SHEET. ez/piv CARD KEY FEATURES:

CA3000 Plug-in Manual. Codebench, Inc 6820 Lyons Technology Circle Ste. 140 Coconut Creek, FL 33073

Using PIV Technology Outside the US Government

CIS 4360 Secure Computer Systems Biometrics (Something You Are)

DIGITAL AUTHENTICATION FOR MICROSOFT WINDOWS PCS

DMDC Card Technologies & Identification Systems Division. Evaluation of NIST SP End State Reference Implementation. Version 1.

pivclass FIPS-201 Reader Operation and Output Selections APPLICATION NOTE , F.0 February Barranca Parkway Irvine, CA 92618

EU Passport Specification

Smart Card and Biometrics Used for Secured Personal Identification System Development

Office of Transportation Vetting and Credentialing. Transportation Worker Identification Credential (TWIC)

Applying biometric authentication to physical access control systems

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Transcription:

Biometric Use Case Models for Personal Identity Verification Walter Hamilton International Biometric Industry Association & Saflink Corporation Smart Cards in Government Conference Arlington, VA April 19, 2006 1

FIPS 201 Biometric Requirements Ten fingerprint images are captured at enrollment Sent to FBI for criminal history records check Fingerprint capture device must comply with FBI standards Strict image quality guidelines must be met for enrolled images Images are used to generate templates for PIV card Biometric templates stored on PIV card are required for interoperability of PIV authentication between agencies Mandatory storage of minutiae templates from two index fingerprints Alternative fingers are allowed if index fingers cannot be imaged Templates generated by segmenting images from 10-print enrollment Discussion will focus on operational use of biometric for authentication 2

Biometrics in FIPS 201 FIPS 201-1 Standard for Federal Personal Identity Verification (PIV) SP 800-73-1 - Technical Specification and Interfaces for PIV Card SP 800-76 - Biometric Data Specification SP 800-78 - Cryptographic Algorithms and Key Sizes SP 800-79 - Guidelines for Certification and Accreditation of PIV Card Issuing Organizations SP 800-85 - Guidelines for Conformance Testing of PIV Middleware and PIV Card Application SP 800-87 - Codes for Federal and Federally-Assisted organizations 3

Fingerprint Minutiae Template Maps the points where ridges start/stop or branch NIST standard data format based on ANSI/INCITS 378 Fingerprint Minutiae Data Interchange Standard Defines specific format option called MIN A Fraction of the size of compressed images (<1K) 4

SP 800-76 Sec. 1.2 states:..for both logical and physical access applications, and for applications using biometric data stored either on or off the PIV Card, this document neither requires nor precludes the use of: 1. The PIV Card fingerprint templates; 2. Specific authentication paradigms such as match-on-card; 3. Data from other biometric modalities (e.g., hand geometry, iris, etc.); 4. Data formatted according to other standards; 5. Data whose format is proprietary or otherwise undisclosed. 5

SP 800-76 (cont.) Alternative biometric modalities and/or paradigms may be used for intra-agency authentication under FIPS 201 Such implementations may not be interoperable with other agencies Alternative biometric modalities could include fingerprint, hand geometry, iris, face, etc. Alternative biometric paradigms could include Store biometric template off card Store biometric template on card in agency-specific container Match on card Etc. 6

Access to Standard Template is Restricted Under FIPS 201 Interoperable fingerprint templates can only be read through the contact interface following entry of a PIN However, the card holder unique ID (CHUID) can be read from the contactless interface and without a PIN Use of contact readers and PIN entry may not be appropriate for some physical access control systems (PACS) due to throughput requirements Use of contact readers in environments exposed to the weather may not be practical 7

Biometric Use Case Models for Physical Access 8

Match Off Card to Standard Fingerprint Template Stored On Card Insert card in contact reader Enter 6-digit PIN Scan fingerprint of cardholder Read templates from PIV card Match template off card to template stored on card Matching takes place in reader, panel or server Plus: Any PIV card will work No need for biometric network or external database Minus: Slower throughput Card wear & exposure to dust, moisture, etc. Limited to fingerprint biometrics using standard template format 9

Match Off Card to Alternative Biometric Template Stored Off Card Read CHUID through contactless interface Scan biometric of cardholder (could be any biometric) Match live template off card to template stored off card CHUID is index pointer to stored template Templates stored in reader, panel or server Matching takes place in reader, panel or server Plus: Faster throughput Choice of biometric modalities & template formats Any PIV card will work Contactless reader eliminates wear & environment issues Minus: Requires network and external database Requires separate biometric enrollment to external database 10

Match Off Card to Alternative Biometric Template Stored On Card Read biometric on card through contactless interface Template stored in agency-specific container on PIV card Scan biometric of cardholder (could be any biometric) Match live template off card to template stored on card Matching takes place in reader, panel or server Plus: Faster throughput Contactless reader reduces wear & weather concerns No need for biometric network and external data base Minus: Requires separate biometric enrollment on PIV card Issue of writing biometric to card issued by other agencies 11

Match On Card to Alternative Biometric Template Stored On Card Insert card in contact reader or present card to contactless reader Scan biometric of cardholder (could be any biometric) Match live template on card to template stored on card Template stored in agency-specific container on PIV card Matching takes place within logic of smart card Plus: No PIN entry required No need for biometric network and external data base Enrollment template never leaves PIV card Minus: Requires separate biometric enrollment on PIV card Issue of writing biometric to card issued by other agencies MOC currently limited to proprietary templates 12

Biometrics for Logical Access 13

Network Authentication FIPS 201 defines PKI as the required authentication method for logical access PKI requires contact interface and PIN entry to exercise private key for cardholder authentication Biometrics could be an additional authentication factor for very high security environments 3-factor authentication PIV Card, PIN and biometric 14

Network Authentication (Cont.) Biometrics as an additional authentication mechanism for logical access could be implemented in any paradigm or modality Finger, face, iris, hand, etc. Match on card, Match off card Store on card, store off card Since PKI is mandated for logical access, the only advantage to using biometrics is additional security No convenience or throughput benefits 15

IBIA Recommendations to NIST For Physical Access Control Applications: Remove PIN requirement for reading interoperable fingerprint templates on PIV card Allow access to interoperable fingerprint templates through the contactless interface If recommendations adopted, would further encourage the operational use of interoperable biometrics to meet HSPD-12 objectives for interoperability, security and rapid authentication 16

Rationale for Recommendations Physical access control not well suited for contact cards due to environmental and throughput issues NIST removed PIN requirement for access to certificate in SP 800-73-1 Rationale: Privacy issues no longer considered significant A similar privacy rationale exists for fingerprint templates Minutiae templates cannot be used to reconstruct the original image Are fingerprints secrets anyway? Compromised enrollment template is of little use No practical way to introduce the template back into the system Physical finger must be in contact with the reader for authentication Enrollment templates are digitally signed with a type designation Attempting to send an enrollment template as a verification template would be rejected as an invalid data object 17

Conclusions FIPS 201 allows a lot of flexibility in implementing biometric authentication for intra-agency access control Given restrictions on use, interoperable templates may only be practical for use at visitor control centers to bind a visiting agency employee to the PIV card Consider the use of alternative biometrics particularly for physical access control systems 18

Contact Information International Biometric Industry Association 1666 K Street, NW - Suite 1200 Washington, D.C. 20006 Tel (202) 293-8133 Fax (202) 503-0985 ibia@ibia.org www.ibia.org Walter Hamilton Saflink Corporation Tel (425) 503-0985 whamilton@saflink.com www.saflink.com 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback