By David Benini, Aware, Inc.
Following the publication of the FIPS 201 standard in 2005, a series of specifications evolved defining the functionality and interaction of the components that together make up a comprehensive biometrics-enabled credentialing system. The requirements set forth in FIPS 201 were divided among twenty product categories and three services that form the GSA’s Approved Product List (APL). There are six categories that cover specific biometric technologies. Because PIV cards utilize fingerprint and facial biometrics, the categories are split between the two technologies.
Fingerprint biometric product categories:
- Template Generator
- Template Matcher
- Fingerprint Capture Station
- Single Fingerprint Capture Device
Facial image biometric product categories:
- Facial Image Capturing (Middleware)
- Facial Image Capturing Camera
Fingerprint biometric product categories
The first set of biometric categories covers hardware and software required to capture and verify fingerprint biometrics on PIV cards.
The “Fingerprint Capture Station” is the equipment used to capture an individual’s full set of fingerprints at the point of enrollment. The “Template Generator” is the software that generates the INCITS 378 compliant biometric template from the captured prints.
An approved “Fingerprint Capture Station” product must be an FBI-certified fingerprint live scan device or card scan solution, but must also include software to generate both NIST NFIQ image quality scores and fingerprint images within ANSI/INCITS 381 compliant data files.
Moving from enrollment to utilization, the “Single Fingerprint Capture Device” is used in the field to capture the live fingerprint images for matching against the enrolled template. The “Template Matcher” software performs this matching process.
Products in the fingerprint minutiae based “Template Generator” and “Template Matcher” categories must be submitted to NIST’s MINEX program for certification. NIST tests the software for interoperability between templates and matchers from different vendors. The software submitted for testing must be able to exchange template files compliant to the ANSI/INCITS 378 data interchange format for fingerprint minutiae templates.
Facial Image biometric product categories
Hardware and software for facial capture are covered by two different categories; the “Facial Image Capturing Camera” is simply a digital camera with sufficient resolution and the ability to prevent over-compression. The software to format the image is the “Facial Image Capturing (Middleware).”
The “Facial Image Capture (Middleware)” product category serves as a catch-all for facial image and data requirements. Software products in this category should create data structures compliant with ANSI/INCITS 385 and also validate that the captured facial images are compliant (e.g. dimensions, size of the head in the frame, resolution, compression ratio). It includes a requirement that if the facial image is compressed using the JPEG2000 “region of interest” (ROI) technique, the product must support prevention of the compression of the inner facial region beyond a ratio of 24:1. JPEG2000 ROI is recommended when optionally storing facial images on the smart card because of its significantly improved compression performance over JPEG.
Generally the term “middleware” refers to software that enables connectivity between large distributed applications, web services, and service-oriented architectures (SOA). But in the smart card vernacular, the “middle” is relative and refers to something quite different. The “PIV Middleware” product category actually refers to software serving as an interface for communication between the PIV application on a PC and the smart card itself. FIPS 201 specifies this interface, and products in the PIV Middleware category must be independently certified to be compliant. This shouldn’t be confused with biometric middleware products on the market that are typically servers performing centralized tasks such as biometric data routing and processing.
Biometrics required for PIV but not categorized on APL
Some facets of PIV system biometrics are not addressed by FIPS 201 standards, except to say that they are required. While FIPS 201 identifies strict requirements for background checks to the FBI and OPM that require biometric verification, these elements are not detailed in FIPS 201 and thus are not categorized on the APL. This is because there are well-established procedures for fingerprint image compression, quality and data formatting that are addressed by legacy standards and certification programs (e.g. the FBI’s “Appendix F” image quality certification for fingerprint scanners, and the ANSI/NIST ITL-1 2007 standard for background check file formatting).
Putting the pieces together: the NASA PIV system lifts off
NASA was well-prepared for HSPD-12, deploying an operational pilot system with approved products more than six months before the pending October 2007 deadline. Like many agencies NASA already had an identity management system, a card management system, and a fingerprint background check submission system in place. The agency was issuing employee ID cards well before HSPD-12 was announced.
While PIV imposes new standards for card issuance procedures, physical card properties, data formats, and interfaces, it is the introduction of biometrics for identity verification that is perhaps the most disruptive to an agency’s legacy systems … and NASA’s is no exception. NASA’s identity management and card issuance systems had operated completely independently from its fingerprint background check system, so the introduction of biometrics to the identity system enrollment process provided a strong incentive to combine these functions in a single enrollment station. The FIPS 201 requirement to use the same biometric for background check and for generation of minutiae templates to be stored on the ID cards, solidified this need.
NASA designed an architecture that would utilize the same registration workstation for both PIV enrollment and background checking. A new registration workstation collects biometric images and biographic data for both functions during a single enrollment session. This workstation includes products from several APL categories to perform multiple tasks, including a pre-enrollment search of the IDMS, ten-fingerprint auto-capture, facial image auto-capture, and biographic data collection and formatting for the PIV card and the fingerprint background check.
A new central server was installed, used to a) aggregate all enrollment traffic from all of the geographically distributed enrollment workstations, b) prepare data for card personalization, archival, and enrollment or update in the IDMS, and c) forward background check files to the legacy background check server. The flexibility and functionality of this central server helped facilitate this modular “overlay” upgrade that achieves PIV compliance in a way that substantially mitigated the risk and costs of a broader modification of their existing systems.