ANSI X9.

84 Biometric Management and Security for the Financial Services Industry

ANSI X9F4 Working Group

Jeff Stapleton, chair

KPMG jstapleton@kpmg.com

Judith Markowitz
J. Markowitz, Consultants judith@jmarkowtiz.com

What is X9.84?
Standard of the American National Standards Institute (ANSI) Focuses on management of the biometric data across its life cycle Covers enrollment, verification, and identification Primary industry focus is financial services Developed in collaboration with other standards efforts

November 8, 2000

X9F4 Working Group

Where Does X9.84 Fit? ISO

Accredited Standards Committee Financial Services Industry

NCITS B10
Identification Cards and Related Devices www.ncits.org
November 8, 2000 X9F4 Working Group 3

Where Does X9.84 Fit? ANSI

www.x9.org
X9A - Retail Banking Subcommittee X9B - Check Processing Subcommittee X9D - Securities Subcommittee

X9F - Information and Data Security Subcommittee

X9F1 - Cryptographic Tools X9F3 - Cryptographic Protocols

X9F4 - Cryptographic Applications

X9.84 Biometric Management and Security for the Financial Services Industry X9F5 - Certificate Policy and Procedures X9F6 - Cardholder Authentication and ICC
November 8, 2000 X9F4 Working Group 4

Interested ISO Committees

Technical Committee 68 - Financial Industry Subcommittee 2 - Information Security Joint Technical Committee One (JTC1) ISO/IEC Subcommittee 17 - Passports and Identification Cards

November 8, 2000

X9F4 Working Group

Collaborative Standards Activities

BioAPI CBEFF

www.bioapi.org

Biometric API - Vendor, biometric, and operating system independent API. Version 1.0 released April, 2000. Participants from biometrics industry, software developers, and system integrators.

www.nist.gov/cbeff

Common Biometric Exchange File Format - enable interoperability of biometric-based application programs and systems from different vendors

November 8, 2000

X9F4 Working Group

Collaborators

Biometric Service Provider (BSP) API

BioAPI
X9.84

NIST/ITL
CBEFF

Common Biometric Exchange File Format

NCITS B10
November 8, 2000 X9F4 Working Group 7

Other Standards Activities

www.ectf.org
Enterprise Computer-Telephony Forum (ECTF) Speaker Recognition Resource for the ECTFs S.100 Interface. They have an architecture for computertelephony. S.100 is the API of the architecture.

BAPI Software APIwww.iosoftware.com API for computing devices Microsoft & I/O SVAPI
November 8, 2000

Speaker Verification API (SVAPI) disbanded

X9F4 Working Group

What is X9.84?
Security of biometric data across its life cycle Management of the biometric data across its life cycle Usage of biometric technology for identifying and authenticating banking customers and employees Application of biometric technology for physical and logical access controls Encapsulation of biometric data Techniques for securely transmitting biometric data Security of the physical hardware used throughout the biometric life cycle
November 8, 2000 X9F4 Working Group 9

Security Services
Confidentiality
protection of data against unauthorized disclosure

Authentication
protection against unauthorized access / authorization to data

Integrity
protection of data against unauthorized modification / substitution

Non-repudiation
Authentication and Integrity provable to a third party
Access Control = Authentication + Authorization
November 8, 2000 X9F4 10 Working Group

Security Requirements
1. The biometric system must prevent captured biometric data from being introduced into the system through fake, system-attached, biometric capture devices. 2. The biometric system must ensure that biometric data can be introduced into the system only through authorized interfaces using prescribed procedures

* Source: A Biometric Standard for Information Management and Security

November 8, 2000

X9F4 11 Working Group

Security Requirements
3. The biometric system must implement protection mechanisms (controls and procedures) to detect or deter the synthetic biometric feature attack 4. Where necessary, the biometric system must implement protection mechanisms (controls and procedures) to prevent the exposure or loss of biometric data

* Source: A Biometric Standard for Information Management and Security

November 8, 2000

X9F4 12 Working Group

Security Requirements
5. The biometric system must implement protection mechanisms (controls and procedures) to ensure that the enrollment process is a well-defined 6. The biometric system must restrict access to the templates;
it must restrict the ability of an attacker to reconstruct the template database from intercepted biometric data (samples or templates); it must restrict the ability of an attacker to issue verification requests against data in the template database
* Source: A Biometric Standard for Information Management and Security

November 8, 2000

X9F4 13 Working Group

X9.84 Approach
Biometric data should be managed so that integrity is highest security requirement unauthorized disclosure of biometric data should not compromise the system or the individual NOTE Biometric data are not inherently confidential or secret. Therefore, biometric data may still be encrypted to protect the system for reasons of individual privacy issues

* Source: X9.84 Biometric Information Management and Security

November 8, 2000

X9F4 14 Working Group

X9.84 Requirements
1. Mechanisms to maintain the integrity of biometric data and verification results between any two components:
y Cryptographic mechanisms such as a digital signature, y physical protection where no transmission is involved and all components reside within the same tamper resistant unit

2. Mechanisms to authenticate the source of the biometric data and verification results, between the sender and receiver component:
y Cryptographic mechanisms such as a digital signature y Using physical protection where no transmission is involved and all components reside within the same tamper resistant unit

3. If desired, mechanisms to ensure the confidentiality of the biometric data during transmission
* Source: X9.84 Biometric Information Management and Security

November 8, 2000

X9F4 15 Working Group

X9.84 Architecture
Architecture
A is storage only, all other components are external B input device and application are external C includes all components and application

Data Collection

Signal Processing

Matching

Storage

Score

A B

Application

Decision

Yes/No

adaptation

* Source: X9.84 Biometric Information Management and Security

November 8, 2000

X9F4 16 Working Group

What Is X9.84 Current Status?

Work started in 1998 Approved by X9F4 in April 2000 Sent to X9 for a vote 30 day public review ANSI is going to submit X9.84 for new ISO standard New ISO working group (WG10) created to review X9.84. US will chair it and UK, Germany, Japan, and (maybe) Canada are among the participants.

November 8, 2000

X9F4 17 Working Group

Contact Information
[1] X9F4 Judith Markowitz judith@jmarkowitz.com

Jeff Stapleton jstapleton@kpmg.com

[2] ANSI X9 www.x9.org [3] NCITS B10 www.ncits.org [4] Common Biometric Exchange File Format (CBEFF) www.nist.gove/cbeff [5] BioAPI www.bioapi.org [6] Biometric Consortium www.biometrics.org [7] International Biometric Industry Association (IBIA) www.ibia.org [8] Enterprise Computer-Telephony Forum (ECTF) www.ectf.org [9] BAPI www.iosoftware.com November 8, 2000 X9F4 18 Working Group