Card, mobile credential, payment and security
By Russ Ryan, Vice President, National Biometric Security Project
Numerous national and civilian security applications will see improvement in functionality because of newly published biometric standards. Biometrically enabled passports will be made more robust because of new standards that define a general specification for physical characteristics, layout and security. A new FBI Electronic Fingerprint Transmission Specification standard helps ensure the reliability and quality of fingerprints submitted to the FBI. A new biometrics standard for financial services defines the security framework for using biometrics for authentication of individuals in financial services transactions. Additionally, a new testing methodology standard provides specific details on methods and techniques for conducting scenario or technology tests.
As biometrics become an evermore critical component of next generation identity assurance and risk management systems deployed in the protection of the civil infrastructure and personal identity, the continued development of comprehensive biometric standards is vital to ensure interoperability, scalability, usability, reliability and security.
Before we look at the structure of biometric standards let us quickly review the key standards bodies. Figure 1 illustrates many of the national and international standards bodies that contribute to standards development. For the purposes of this article we will focus on a few key organizations.
The International Organization for Standardization (ISO) is the world's largest developer of standards. It is composed of representatives from the national standards bodies of approximately 150 countries with a central secretariat based in Geneva, Switzerland.
The International Electrotechnical Commission (IEC) was one of the first standards bodies to be established, founded in 1906. Its mandate is to prepare and publish international standards for all electrical, electronic and related technologies. In the information technology arena, which includes biometrics, most of this work is done in conjunction with ISO through Joint Technical Committed (JTC) 1.
ISO/IEC Joint Technical Committee 1 (JTC 1) is a cooperative effort between ISO and IEC. This committed covers all standardization within the arena of information technology. It has multiple subcommittees (SCs), several of which cover biometrics. SC 17 is responsible for cards and personal identification and thus is particularly focused on the application of biometrics to smart cards and travel documents. SC 27 is responsible for IT security techniques and thus is focused on security issues and implication around biometrics. SC 37, however, holds the main responsibility for biometrics.
ISO/IEC JTC 1 - Subcommittee 37 "Biometrics" (SC 37) is the subcommittee of JTC 1 that has the primary responsibility for developing international biometric standards. Its scope of work is defined as "Standardization of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks; biometric application programming interfaces; biometric data interchange formats; related biometric profiles; application of evaluation criteria to biometric technologies; methodologies for performance testing and reporting and cross jurisdictional and societal aspects." SC 37 is the international counterpart of the U.S.'s INCITS M1 body.
International Committee for Information Technology Standards (INCITS) is the primary U.S. standardization body in the field of information and communications technologies. This includes information storage, processing, transfer, display, management, organization, and retrieval. INCITS has a number of Technical Committees (TCs) that lead standards development efforts in various areas. In fact, there are more than 30 TCs within INCITS, including several that touch on biometric standards. The TC that focuses most prominently on the development of biometric standards is known as M1.
INCITS Technical Committee M1 Biometrics (M1) works to ensure a high priority, focused, and comprehensive approach to the rapid development and approval of formal national and international generic biometric standards. M1 is the U.S. Technical Advisory Group (TAG) to its counterpart in the international arena, SC 37.
The Structure of Biometric StandardsIt is helpful to think of biometric standards as a series of layers, like those of an onion. Starting at the center, the first four layers cover those standards of direct relevance to biometric system developers and companies. The next layer deals with the interfaces, which link the biometric components to the rest of the system. The outer two layers define how we deal with biometrics in terms of privacy, legal issues, and even the language we use to describe it. Finally, there are the thin shells that separate and surround each layer. These represent the conformance standards, which describe exactly how adherence to each of the other standards can be measured.
The inner core of the onion comprises the biometric data interchange formats. These define the basic format of biometric images or templates and tell the technology manufacturers how to format data from their systems or interpret data coming into their systems.
The next layer is the logical data structure or exchange format framework that is used to wrap the biometric data so that systems receiving a file know how to interpret the different data fields that may be associated with the biometric data. These might include demographic information or a digital signature to verify that the data packet has not been tampered with.
Data Security
Once the core biometric data in a standardized form has been wrapped in a standardized file format, it may be necessary to protect the data. This may involve the use of digital signatures and other encryption techniques.
System Properties
The next layer involves the properties of the biometric system. One of these is the performance of the biometric system, which is fundamental to deployment decisions. If the biometric system cannot enroll a sufficient percentage of the target population or if its ability to correctly match biometric samples from the same person without falsely matching samples from different people is insufficient, then the system is unsuitable for deployment. Significant progress has been made in advancing biometric performance testing standards, both in the US and internationally, over the last year and several standards will be ready to publish in the near future.
One of the key purposes of biometric standards is to allow interoperability among components and systems involving biometrics. Performance based interoperability testing is thus important because it allows a determination not simply of the fact that two systems can work together but of how well they work together, which is critical for system design and procurement decisions.
Biometric interfaces form the next layer. These are the interfaces between the core biometric systems, represented by the inner four layers of the onion, and the outside world. As interface standards continue to develop, it will be important to ensure that there is proper coordination between the biometrics experts and the experts in other areas of information technology, ensuring that the technical interfaces being developed adequately reflect modern system design principles and requirements.
The final two layers of the onion represent the outside world and how we deal with biometrics as a general subject. A harmonized biometric vocabulary allows different groups to avoid miscommunication when discussing biometrics. General industry practice has accepted particular usages of certain terms, so that even if they are not agreed upon in a standard, there is a de facto agreement outside the standards process.
Societal and cross-jurisdictional issues involve the impact of biometrics on privacy, health, safety and other similar areas. Within each country or region there are different legislative issues and public perceptions that may influence how biometrics is used. The key goal here is to try to develop a standardized way of measuring or managing these issues and, if possible, a set of minimum guidelines that can achieve sufficient consensus to be internationally standardized. The international standards in this area will be particularly important for the deployment of large-scale cross-border systems.
Finally, surrounding and pervading the entire onion is the issue of conformance testing standards. Most standards in any of the other areas do not provide a formal method for certifying that a particular technology or product conforms to the standard. The vast majority of standards, however, do benefit from a detailed conformance testing standard, and this is an area which will require a great deal of work over the next two years, since the work on developing conformance testing methodology standards is still at an early stage. In the past two years the number of published biometric standards has grown from 10 to 33, while the number of emerging standards has increased to 95.
The standardization process has reached a reasonable level of maturity in the US. A few years ago there were ten published biometric standards. Today there are more than 50 with another 50 in development spanning all the major subject areas. With the development of conformance testing standards what was once a major gap in the standards portfolio is now starting to close. There are either published or emerging biometric standards that address almost every major fundamental aspect of biometrics.
Over time, more technologies are being addressed. New data formats for speaker recognition in M1 and DNA in SC 37 are currently in development. Conformance testing will be critical for the many large-scale international deployments of biometrics where the data created in one country must be conformant to the SC 37 standards to enable the data to be read and used by another country.
Spreadsheets of all currently published standards and many more emerging biometric standards are included in NBSP's latest review of biometric standards activity, "Summary of Published and Emerging Biometric Standards – 2nd Quarter, 2007." Both the spreadsheets and the Summary Report are available on the company's website. www.nationalbiometric.org.
