2. Biometric Security Standards
• X9.84 - 2010 Biometric Information Management and Security
– Industry neutral information security standard
– Financial services specific use cases
– Became a US national standard in 2003
– Revised 2009
• Wells provided editor; Griffin created secure abstract schema
• Selectively incorporates ISO 19092 improvements
• ISO 19092
– Extends & internationalizes X9.84-2003
– McCormick, US expert; Griffin, standard editor
– Omitted important X9.84 technical content
– Omitted schema for practical implementation
2
3. Biometric Security Standards
Content X9.84 ISO 19092
Biometrics Overview & Tutorial
Technical Considerations & Architecture
Biometric Information Security Management
Cryptographic Controls and Techniques
Physical Controls
ASN.1 Schema (compact binary & XML markup)
Secure Biometric System Event Journal
3
4. Biometric Security Standard
Content X9.84 ISO 19092
Audit Checklist (BVCO)
Match Decision Protocol
ISO 8583 Retail Message Extension
Data Flow Diagrams & Descriptions
Security Considerations
Public Policy Considerations
Business Use Cases
4
5. X9.84 – A Biometrics Tutorial
Biometric Technology Overview
– Basics
”Biometric identification leverages the universally recognized
fact that certain physiological or behavioral characteristics
can reliably distinguish one person from another “
Biometric Types
– Fingerprint (Voice, Signature, Iris, Retina, Face, …)
”The pattern of friction ridges and valleys on an individual's
fingertips is considered unique to that individual.“
5
6. X9.84 Authentication System Compliance
Biometric System Auditor Checklist
Biometric Validation Control Objectives
Environmental Controls – A biometric system within or employing an
IT infrastructure requires these controls for a secure implementation
Key Management Lifecycle Controls – Needed when a biometric
system employs cryptographic protection, e.g., digital signatures for
data integrity & origin authentication, and encryption for confidentiality
Biometric Information Lifecycle Controls – A biometric system
enrolls individuals by capturing biometric data to generate, distribute,
use, and eventually terminate templates, similar to a PKI.
6
7. X9.84 Authentication System Compliance
Biometric System Event Journal
Shows that an organization provides reasonable assurance
that environmental, key management lifecycle, and biometric information
life cycle events are accurately and completely logged – that the
operation of the biometric system meets the control objectives
Confidentiality & integrity of current & archived event journals maintained
Complete event journals are securely and confidentially archived in
accordance with disclosed business practices
Event journals are reviewed periodically by authorized personnel
7
8. Extending Biometric Template Information
Biometric Template Attributes
Attributes can be bound to a template using a detached signature.
Detached signatures are stored separately from the template itself.
Detached signatures do not interfere with template use by a biometric
service provider, say during the biometric matching process.
Signature verification of information security management attributes
that are cryptographically bound to a biometric reference template can be
performed by another application process, perhaps by a Web Service.
8
11. Biometric Security Management Layer
Identity
and
Access
Management BSP
User Auth
IAM / BSP API
Biometric Security
Password Management Application Event Journal
User BSM
PKI Signed Attributes
11
12. For a Deeper Dive …
• ANSI X9.84 : 2010 -
Biometric Information Management and Security
• ANSI X9.73 : 2010 -
Cryptographic Message Syntax (CMS) – ASN.1 and XML
• ISSA Journal, January 2007:
ISO 19092: A Standard for Biometric Security Management
12