Biometric Information Management For Security

Transcript Biometric Information Management For Security

Biometric Information
Management For Security
Phillip H. Griffin
Griffin Consulting
1625 Glenwood Avenue
Hayes Barton at Five Points
Raleigh, North Carolina 27608-2319 USA
+1 919 291 0019
[email protected]
OASIS XCBF TC
• XCBF - XML Common Biometric Format
– X9.84 Biometric Information Management and Security
– BioAPI Specification Version 1.0 and 1.1
– CBEFF - Common Biometric Exchange File Format
• X.693 - ASN.1 XML Encoding Rules (XER)
• X9.96 XML Cryptographic Message Syntax
- X9.73 Cryptographic Message Syntax
- X.509 Certificates
1024 bytes
- X9.68 Compact Domain Certificates
170 bytes
May 2002
1
XCBF/X9.84 BiometricObject
<?xml version="1.0" encoding="UTF-8"?>

<BiometricObject>
<biometricHeader>
<version> <hv1/> </version>
<recordType> <id> <finger-Image/> </id> </recordType>
<dataType> <processed/> </dataType>
<purpose> <enroll/> </purpose>
<quality> <highest/> </quality>
<format>
<formatOwner> <id> <ibia-SecuGen/> </id> </formatOwner>
<formatType> <INTEGER> 1 </INTEGER> </formatType>
</format>
</biometricHeader>
<biometricData>
14000000F40100000100120003 ... 000000000EC010000BEF7F15DC593F44F
</biometricData>
</BiometricObject>
May 2002
2
X9.84 Revelation
• Biometric data cannot be kept confidential
–
–
–
–
faces can be photographed
voices can be recorded
fingerprints can be lifted
signatures can be copied
• Thus the security of an authentication system
cannot rely on secrecy of biometric data
• Instead, must ensure the integrity and authenticity
of the biometric data – privacy is optional
May 2002
3
X9.84 in a Nutshell
• Establishes a FRAMEWORK consisting of components
– Data Capture, Signal Processing, Matching, Storage, etc.
• Defines REQUIREMENTS for operating a biometric
authentication system in a financial services environment
– Enrollment, Verification, Identification and Storage
• Provides TECHNIQUIES satisfying the privacy, integrity
and authenticity requirements for biometric data (ASN.1)
– Harmonized w/ NISTR 6529 CBEFF & BioAPI Specification 1.0
• Offers comprehensive set of CONTROL OBJECTIVES
– professional auditor can validate a biometric authentication system
May 2002
4
XCBF Biometric Architecture
Application
Biometric
Validation
Control
Objectives
X9.84 Biometric Security
BIR
BioAPI Framework
Cryptographic
Service
Provider
May 2002
XER/DER
Biometric
Object
CBEFF
Biometric
Service
Provider
5
XCBF Integrity
BiometricSyntax and ASN.1 Encoding Rules (DER, XER)
– Integrity and mutual authentication requirements
Unprotected
Integrity
[0]
Biometric
Header
[1]
Biometric
Header
Biometric
Data
(BD)
Biometric
Data
(BD)
Integrity Block
• AID
• Security Info
• Integrity Value
May 2002
Algorithm Identifier
• RSA / SHA-1
• DSA / SHA-1
• ECDSA / SHA-1
• MAC or HMAC
Security Info
• algorithm parameters
• key management info
Integrity Value
• digital signature
• MAC
6
XCBF Integrity ASN.1
BiometricObject can be digitally signed, MACed (or HMAC), or used in
CMS SignedData or CMS AuthenticatedData using DER or XER
Unprotected
Integrity
[0]
Biometric
Header
[1]
Biometric
Header
Biometric
Data
(BD)
Biometric
Data
(BD)
Integrity Block
IntegrityObject ::= SEQUENCE {
biometricObject BiometricObject,
integrityBlock
IntegrityBlock
}
IntegrityBlock ::= CHOICE {
signature
Signature,
mac
Mac,
signedData
SignedData,
authenticateData AuthenticatedData
}
• AID
• Security Info
• Integrity Value
May 2002
7
XCBF Privacy
Biometric Syntax and ASN.1 Encoding Rules (DER, XER)
– Privacy Option
Unprotected
Privacy
[0]
Biometric
Header
[2]
Biometric
Header
Biometric
Data
(BD)
Privacy Block
• AID
• Security Info
Biometric Data
Algorithm Identifier
• DES
• Triple DES
• AES
Security Info
• algorithm parameters
• key management info
Biometric Data
Biometric
Data
(BD)
May 2002
encrypt
Biometric
Data
(BD)
• encrypted data
8
XCBF Privacy ASN.1
BiometricObject can be used in CMS EncryptedData, CMS EnvelopedData or
encrypted with a named key using DER or XER encoding rules
Unprotected
Privacy
[0]
Biometric
Header
[2]
Biometric
Header
Privacy Block
• AID
• Security Info
Biometric Data
Biometric
Data
(BD)
Biometric
Data
(BD)
May 2002
encrypt
Biometric
Data
(BD)
PrivacyObject ::= SEQUENCE {
biometricHeader BiometricHeader,
privacyBlock
PrivacyBlock
}
PrivacyBlock ::= CHOICE {
fixedKey
EncryptedData,
namedKey
NamedKeyEncryptedData,
establishedKey EnvelopedData
}
NamedKeyEncryptedData ::= SEQUENCE {
keyName
OCTET STRING,
encryptedData EncryptedData
}
9
XCBF Integrity & Privacy
Biometric Syntax and ASN.1 Encoding Rules (DER, XER)
– Integrity and authentication with privacy
[0]
Biometric
Header
[1]
Biometric
Header
[3]
Biometric
Header
Biometric
Data
(BD)
Biometric
Data
(BD)
Privacy Block
• AID
• Security Info
Biometric Data
generate
digital
signature
May 2002
encrypt
Integrity Block
Integrity Block
• AID
• Security Info
• Integrity Value
• AID
• Security Info
• Integrity Value
10
XCBF Integrity&Privacy ASN.1
Biometric Syntax and ASN.1 Encoding Rules (DER, XER)
– Integrity and authentication with privacy
[1]
Biometric
Header
[3]
Biometric
Header
Biometric
Data
(BD)
Privacy Block
• AID
• Security Info
Biometric Data
encrypt
Integrity Block
Integrity Block
• AID
• Security Info
• Integrity Value
• AID
• Security Info
• Integrity Value
May 2002
PrivacyAndIntegrityObject ::= SEQUENCE {
biometricHeader BiometricHeader,
privacyBlock
PrivacyBlock,
integrityBlock
IntegrityBlock
}
Represented in XML as
<PrivacyAndIntegrityObject>
<biometricHeader>
...
</biometricHeader>
<privacyBlock> ... </privacyBlock>
<integrityBlock> ... </integrityBlock>
</PrivacyAndIntegrityObject>
11
Useful Links
XCBF and X9.84 rely heavily on ITU-T SG17 Technologies.
ASN.1 X.680 and X.690 - Directory X.500 Standards
Module Database
http://www.itu.int/ITU-T/asn1/database/index.html
Syntax Checker and Books
http://www.ossnokalva.com/
Recommendations
http://www.itu.int/ITUT/studygroups/com17/languages/index.html
Host: ftp://ties.itu.int login: asn1 password: notation1
Griffin Consulting -Secure Messaging Design, Tools and Services
http://ASN-1.com/
May 2002
12