Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984

5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com

http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 1/18

ANSI X9.84

Biometric Management and Security for the Financial Services Industry

Jeff Stapleton, chair KPMG [email protected]

Judith Markowitz J. Markowitz, Consultants [email protected]

ANSI X9F4 Working Group



X9F4Working Group November 8, 2000 2

What is X9.84? ± Standard of the American National Standards Institute

(A NSI)

± Focuses on management of the biometric data across its

life cycle

± Covers enrollment, verification, and identification

± Primary industry focus is financial services

± Developed in collaboration with other standards efforts




Where Does X9.84 Fit? ISO

Accredited Standards Committee

Financial Services Industry

NCITS B10Identification Cards and Related Devices

www.ncits.org




Where Does X9.84 Fit? A N

SIwww.x9.org

X9A - Retail Banking SubcommitteeX9B - Check Processing Subcommittee

X9D - Securities SubcommitteeX9F - Information and Data Security Subcommittee

X9F1 - Cryptographic Tools

X9F3 - Cryptographic Protocols

X9F4 - Cryptographic Applications

X9.84 Biometric Management and Security for the Financial

Services Industry

X9F5 - Certificate Policy and Procedures

X9F6 - Cardholder Authentication and ICC




Interested ISO Committees

Technical Committee 68 - Financial Industry

Subcommittee 2 - Information Security

J

oint Technical Committee One (J

TC1) ISO/IECSubcommittee 17 - Passports and Identification Cards




Collaborative Standards Activities

www.bioapi.org

Biometric API - Vendor, biometric, and operating system independent API.

Version 1.0 released April, 2000. Participants from biometrics industry,software developers, and system integrators.

www.nist.gov/cbeff Common Biometric Exchange File Format - enable interoperability of

biometric-based application programs and systems from different vendors

BioAPIBioAPI

CBEFFCBEFF




Collaborators

X9.84

BioAPIBioAPI NIST/ITLCBEFF

Common

Biometric

Exchange

File

Format

Biometric

Service

Provider

(BSP)

API

NCITS B10



X9F4Working Group N

ovember 8, 2000 8

Other Standards Activitieswww.ectf.org

Enterprise Computer-Telephony Forum (ECTF) Speaker Recognition Resource

for the ECTF¶s S.100 Interface. They have an architecture for computer-telephony. S.100 is the API of the architecture.

www.iosoftware.comMicrosoft & I/O Software API API for computing devices

Speaker Verification API (SVAPI) disbanded

BAPIBAPI

SVAPISVAPI



X9F4Working Group N

ovember 8, 2000 9

What is X9.84? ± Security of biometric data across its life cycle

± Management of the biometric data across its life cycle

± Usage of biometric technology for identifying andauthenticating banking customers and employees

± Application of biometric technology for physical and

logical access controls

± Encapsulation of biometric data

± Techniques for securely transmitting biometric data

± Security of the physical hardware used throughout the

biometric life cycle



X9F4Working Group N

ovember 8, 2000 10

Security ServicesConfidentiality

protection of data against unauthorized disclosure

Authentication protection against unauthorized access / authorization to data

Integrity protection of data against unauthorized modification / substitution

Non-repudiation Authentication and Integrity provable to a third party

Access Control = Authentication + Authorization



X9F4

Working Group N

ovember 8, 2000 11

Security Requirements1. The biometric system must prevent captured biometric data

from being introduced into the system through fake,

system-attached, biometric capture devices.

2. The biometric system must ensure that biometric data can

be introduced into the system only through authorized

interfaces using prescribed procedures

* Source: A Biometric Standard for Information Management and Security



X9F4

Working Group N

ovember 8, 2000 12

Security Requirements3. The biometric system must implement protection

mechanisms (controls and procedures) to detect or deter

the synthetic biometric feature attack

4. Where necessary, the biometric system must implement

protection mechanisms (controls and procedures) to

prevent the exposure or loss of biometric data




X9F4

Working Group N

ovember 8, 2000 13

Security Requirements

5. The biometric system must implement protection

mechanisms (controls and procedures) to ensure that the

enrollment process is a well-defined

6. The biometric system must restrict access to the templates;

± it must restrict the ability of an attacker to reconstruct the template

database from intercepted biometric data (samples or templates);

± it must restrict the ability of an attacker to issue verification

requests against data in the template database




X9F4

Working Group N

ovember 8, 2000 14

X9.84 Approach

Biometric data should be managed so that

± integrity is highest security requirement

± unauthorized disclosure of biometric data should notcompromise the system or the individual

NOTE

Biometric data are not inherently confidential or secret .

Therefore, biometric data may still be encry pted to protect

the system for reasons of individual privacy issues

* Source: X9.84 Biometric Information Management and Security



X9F4

Working Group N

ovember 8, 2000 15

X9.84 Requirements1. Mechanisms « to maintain the integrity of biometric data and

verification results between any two components:

y Cryptographic mechanisms such as a digital signature,

y physical protection where no transmission is involved and all components residewithin the same tamper resistant unit

2. Mechanisms « to authenticate the source of the biometric data

and verification results, between the sender and receiver

component:

y Cryptographic mechanisms such as a digital signature

y Using physical protection where no transmission is involved and all componentsreside within the same tamper resistant unit

3. If desired, mechanisms « to ensure the confidentiality of the

biometric data during transmission




X9F4

Working Group N

ovember 8, 2000 16

X9.84 Architecture

Architecture

± A is storage only, all other components are external ± B input device and application are external ± C includes all components and application

MatchingSignal

Processing

Data

CollectionStorage

Decisionadaptation

Application Yes/No

Score A

BC




X9F4

Working Group N

ovember 8, 2000 17

What Is X9.84 Current Status?

± Work started in 1998

± Approved by X9F4 in April 2000

± Sent to X9 for a vote

± 30 day public review

± A NSI is going to submit X9.84 for new ISO standard

± New ISO working group (WG10) created to review

X9.84. US will chair it and UK, Germany, Japan, and

(maybe) Canada are among the participants.



X9F4

Working Group N

ovember 8, 2000 18

Contact Information

[1] X9F4 Judith Markowitz [email protected]

Jeff Stapleton [email protected]

[2]ANSI X

9

www.x9.org

[3] NCITS B10 www.ncits.org

[4] Common Biometric Exchange File Format (CBEFF) www.nist.gove/cbeff

[5] BioAPI www.bioapi.org

[6] Biometric Consortium www.biometrics.org

[7] International Biometric Industry Association (IBIA) www.ibia.org

[8] Enterprise Computer-Telephony Forum (ECTF) www.ectf.org

[9] BAPI www.iosoftware.com

Documents

Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984