Overview of National and International Biometric Standards Activities

Overview ofNational and International BiometricStandards ActivitiesFernando PodioProgram Manager,NIST Biometric Standards ProgramComputer Security DivisionNIST/ITL1 (301) 975 - 2947fernando.podio@nist.govANSI/NIST ITL 1 2000 UpdateWorkshop, April 26 28, 20051

Overview• National and International StandardsOrganizations• Status of the INCITS M1 and JTC 1 SC 37Biometric Standards Programs• Market Adoption Examples2

Biometrics Standards Activities – Who is Doing What?InternationalISOIECICAOITU-TTC 68Banking,Securities andOther FinancialServicesISO/IEC JTC 1Information TechnologyNIST/BCBiometric WGBioAPIConsortiumSC 17Cards &PersonalIdentificationSC 27IT SecurityTechniquesSC 37BiometricsOASISOpen GroupNationalANSINIST/ITLX9(US TAG ISO TC 68)INCITSINCITS M1 isthe TAG toJTC 1 SC 37(ANSI/NIST ITL-1-2000)X9FData &InformationSecurityB10IdentificationCards & RelatedDevicesM1BiometricsT4SecurityTechniques

M1 Biometrics (US)• INCITS is the major standards organization in the USresponsible for the development of Information andCommunication Technology (ICT) standards.• M1 is the INCITS committee for biometrics, establishedNovember 2001.• M1 represents the US in biometric international standardsdevelopment through Subcommittee 37 of Joint TechnicalCommittee 1 (JTC1).4

INCITS M1 StandardsApproved DataInterchangeFormatsINCITS 377*Finger Pattern-BasedInterchange FormatINCITS 378*Finger Minutiae FormatFor Data InterchangeINCITS 379Iris Recognition Formatfor Data InterchangeINCITS 381Finger Image Formatfor Data InterchangeINCITS 385*Face Recognition Formatfor Data InterchangeConformance TestingMethodologies for theData InterchangeFormats (UnderDevelopment)Generalized TestingMethodology - Part 1Conformance TestingMethodology for INCITS 377Conformance TestingMethodology for INCITS 378Conformance TestingMethodology for INCITS 379Conformance TestingMethodology for INCITS 381Conformance TestingMethodology for INCITS 385Other DataInterchangeFormats andRelated Standards(UnderDevelopment)INCITS 395Signature/Sign DataINCITS 396Hand Geometry InterchangeFormatBiometric Sample Quality(*) Currently amendments to these three standards areunder development5

INCITS M1 StandardsApproved BiometricApplication ProfilesINCITS 383Verification & Identificationof Transportation WorkersINCITS 394Biometric-Based PersonalIdentification for BorderManagementOther BiometricApplication Profiles(UnderDevelopment)Point of Sale BiometricIdentificationDoD ImplementationsCommercial BiometricPhysical Access ControlPerformance Testing& ReportingStandards (UnderDevelopment)Part 1 – FrameworkPart 2 – Technology Testingand ReportingPart 3 – Scenario Testingand ReportingPart 4 – Operational Testingand ReportingPart 5 – Framework forBiometric DevicePerformance Evaluation forAccess ControlApproved InterfaceStandardsINCITS 358BioAPI Specification V1.1INCITS 398Common Biometric ExchangeFormats Framework (CBEFF)– NISTIR 6529-AConformance TestingMethodology (UnderDevelopment)Conformance TestingMethodology for INCITS 358(BioAPI Specification V1.1)6

The Role of Standards inBiometric Interoperability & Data InterchangeApplication (Conforming to Biometric Application Profile Standards)Framework Conforming to the BioAPI StandardBiometricData StructureConforming to INCITS 398(NISTIR 6529-A)Standardized biometricdata is embedded in theCBEFF structureBiometricServiceProviderBiometricDeviceBiometricServiceProviderBiometricDeviceBiometricServiceProviderBiometricDeviceStandard Data DataInterchange Formats7

SC 37 - Biometrics• Responsible for the standardization of generic biometrictechnologies pertaining to human beings to supportinteroperability and data interchange among applicationsand systems.• Since SC 37 was established, it has maintained anaccelerated pace of biometric standards development(meetings approximately every 6 months)• Demanding schedule for technical editors, other officers,experts, national bodies and liaison organizations.• 21 Member countries – 6 Observers – 11 LiaisonOrganizations8

SC 37 - BiometricsISO/IEC JTC 1/SC 37 - BiometricsChair: Mr. Fernando PodioSC 37 SecretariatANSIMs. Lisa RajchelWorking Group 1Harmonized BiometricVocabularyConvener:Ms. Rene McIverWorking Group 4Biometric FunctionalArchitecture andRelated ProfilesConvener:Mr. Mike HoganWorking Group 2Biometric TechnicalInterfacesConvener:Dr. Young-Bin KwonWorking Group 5Biometric Testing andReportingConvener:Mr. Bob CarterWorking Group 3Biometric DataInterchange FormatsConvener:Dr. Axel MundeWorking Group 6Cross-Jurisdictionaland Societal AspectsConvener:Dr. Mario Savastano9

International StandardDevelopment StagesInternational StandardISFinal DraftInternational StandardFDISFinal Committee DraftFCDCommittee DraftCDWorking DraftWDNew Work ItemProposalNP10

SC 37 - BiometricsISO FDIS 19794Biometric Data InterchangeFormat - Part 2, FingerMinutiae DataISO FDIS 19794Biometric Data InterchangeFormat - Part 4, FingerImage DataISO FDIS 19794Biometric Data InterchangeFormat - Part 5, Face ImageDataISO FDIS 19794Biometric Data InterchangeFormat - Part 6, Iris ImageDataFinal DraftInternational StandardCandidates CD 24709-1Final DraftInternationalStandards Status FCD 19785Common Biometric ExchangeFormats Framework - Part 1,Data Element SpecificationFCD 19784BioAPI Specification – Part 1Final Committee DraftsFCD 19794-1Biometric Data InterchangeFormat – Part 1, FrameworkFCD 19794-3Biometric Data InterchangeFormat – Part 3, FingerPattern Spectral DataFCD 19795-1Performance Testing &Reporting – Principles andFrameworkCommittee DraftsBioAPI Conformance Testing– Part 1 – Methods &ProceduresCD 19794-7Biometric Data InterchangeFormat - Part 7,Signature/Sign Time SeriesCD 19794-8Biometric Data InterchangeFormat - Part 8, FingerPattern Skeletal DataCD 24713-1Biometric Profiles – Part 1,Biometric ReferenceArchitecture2 nd CD 24713-2Biometric Profiles – Part 2,Biometric-Based Verification& Identification of Employeesin a Token Based HighlySecure Environment11

SC 37 - BiometricsCommittee Drafts (Cont.)Working Drafts & Other DocumentsCD 19795-2Biometric PerformanceTesting & Reporting – Part 2,Testing MethodologiesCD 19795-4Biometric PerformanceTesting & Reporting – Part 4,Performance &Interoperability Testing ofInterchange FormatsNew Projects• BioAPI “Lite”• Guidelines for DigitalCapture of Face Image Data• Biometric PerformanceTesting & Reporting – Part 5,Framework for BiometricDevice PerformanceEvaluation for Access ControlWD 24709-2 ,BioAPI Conformance Testing, Part 2 – TestAssertionsWD2 19785-2, BioAPI, Part 2 – Biometric Archive FunctionProvider InterfaceWD 19785-3, CBEFF Part 3: Patron Format SpecificationsWD2 24722, Technical Report on Multi-Modal Biometric FusionWD3 24708, Biometric Interworking Protocol (BIP)WD 19794-9, Biometric Data Interchange Format – Part 9,Vascular Image DataWD 19794-10, Biometric Data Interchange Format – Part 10,Hand Geometry Silhouette DataWD 19794-11, Biometric Data Interchange Format – Part 11,Signature/Sign Processed Dynamic Data2nd WD 24714, Technical Report on Cross Jurisdictional andSocietal Aspects of Implementations of Biometric TechnologiesSD 2 - Standing Document on BiometricVocabulary12

JTC1 SCActivitiesSocietal and Jurisdictional IssuesSC 37 WG6SC 37 WG1Harmonized Biometric VocabularyBiometric InterfacesSC 17 7816-11Card basedSC 37 WG 2BioAPIBiometric System PropertiesBiometric DataSecurity AttributesSC 37 WG4Biometric ProfilesSC 27Security EvaluationSC 37 WG5Performance EvaluationLogical Data Structure/File FrameworkSC 27(e.g., ConfidentialityAvailability, Integrity)Biometric DataInterchangeFormatsSC 37 WG2CBEFFSC 37 WG313

Market Adoption Examples• International Civil Aviation Administration (ICAO):• Adopted a global, harmonized blueprint for theintegration of biometric identification information intopassports and other Machine Readable TravelDocuments (MRTD).• Requires conformance to JTC 1 SC 37 standards.• Facial recognition was selected as the globallyinteroperable biometric for machine-assisted identityconfirmation with MRTD.• Other requirements: CBEFF, Finger InterchangeFormats and Iris Interchange Format14

Market Adoption Examples• International Labor Office of the United Nations –Requirements for a Seafarer’s ID Card:• ISO and JTC 1 are assisting ILO regarding the use ofbiometrics for a Seafarer’s ID card.• Two fingerprint templates will be stored in a barcodewhich will be placed in the area indicated by ICAO 9303.• ILO Technical Report SID-002 (Approved March 2004)specifies the use of some of the standards underdevelopment in JTC 1 SC37 (finger minutiae, fingerimage and CBEFF).15

Market Adoption Examples• DHS / TSA - Transportation Worker IdentificationCredential (TWIC) Program :• System-wide common credential to be used for allpersonnel requiring unescorted physical and/or logicalaccess.• Phase III - Prototype Phase – Biometric Requirements:INCITS M1 biometric standards, as applicable, such asINCITS 383 Information technology - Application Profile -Interoperability and Data Interchange - Biometric BasedVerification and Identification of Transportation Workers16

Market Adoption Examples• DHS – Facial Recognition Standard:• Uses INCITS / M1 approved facial biometric standard (INCITS 385) as thebasis for the DHS standard.• Extract portions to provide guidelines for specific users:• Derivative 001: “Terms, Reference, and Guidelines for Project Managers”• Derivative 002: “Guidelines for Software and System Developers”• Derivative 003: “Guidelines for Photographers and Subjects”• Best practices for producing uniform photographs (posters)• References in the DoD IT Standards Registry (DISR):• INCITS 358-2002, BioAPI Specification• CBEFF17