Biometric Information Management For Security

1
Biometric Information Management For Security

• Phillip H. Griffin
• Griffin Consulting
• 1625 Glenwood Avenue
• Hayes Barton at Five Points
• Raleigh, North Carolina 27608-2319 USA
• 1 919 291 0019
• phil.griffin_at_asn-1.com

2
OASIS XCBF TC

• XCBF - XML Common Biometric Format
• X9.84 Biometric Information Management and
  Security
• BioAPI Specification Version 1.0 and 1.1
• CBEFF - Common Biometric Exchange File Format
• X.693 - ASN.1 XML Encoding Rules (XER)
• X9.96 XML Cryptographic Message Syntax- X9.73
  Cryptographic Message Syntax- X.509
  Certificates
  1024 bytes- X9.68 Compact Domain Certificates
  170 bytes

3
XCBF/X9.84 BiometricObject

• lt?xml version"1.0" encoding"UTF-8"?gt
• lt!-- Generated by Griffin Consulting Biometric
  Security Java Tools --gt
• ltBiometricObjectgt
• ltbiometricHeadergt
• ltversiongt lthv1/gt lt/versiongt
• ltrecordTypegt ltidgt ltfinger-Image/gt lt/idgt
  lt/recordTypegt
• ltdataTypegt ltprocessed/gt lt/dataTypegt
• ltpurposegt ltenroll/gt lt/purposegt
• ltqualitygt lthighest/gt lt/qualitygt
• ltformatgt
• ltformatOwnergt ltidgt ltibia-SecuGen/gt
  lt/idgt lt/formatOwnergt
• ltformatTypegt ltINTEGERgt 1 lt/INTEGERgt
  lt/formatTypegt
• lt/formatgt
• lt/biometricHeadergt
• ltbiometricDatagt
• 14000000F40100000100120003 ...
  000000000EC010000BEF7F15DC593F44F
• lt/biometricDatagt
• lt/BiometricObjectgt

4
X9.84 Revelation

• Biometric data cannot be kept confidential
• faces can be photographed
• voices can be recorded
• fingerprints can be lifted
• signatures can be copied
• Thus the security of an authentication system
  cannot rely on secrecy of biometric data
• Instead, must ensure the integrity and
  authenticity of the biometric data privacy is
  optional

5
X9.84 in a Nutshell

• Establishes a FRAMEWORK consisting of components
• Data Capture, Signal Processing, Matching,
  Storage, etc.
• Defines REQUIREMENTS for operating a biometric
  authentication system in a financial services
  environment
• Enrollment, Verification, Identification and
  Storage
• Provides TECHNIQUIES satisfying the privacy,
  integrity and authenticity requirements for
  biometric data (ASN.1)
• Harmonized w/ NISTR 6529 CBEFF BioAPI
  Specification 1.0
• Offers comprehensive set of CONTROL OBJECTIVES
• professional auditor can validate a biometric
  authentication system

6
XCBF Biometric Architecture
Application
BIR
BioAPI Framework
Biometric Service Provider
7
XCBF Integrity

• BiometricSyntax and ASN.1 Encoding Rules (DER,
  XER)
• Integrity and mutual authentication requirements

Unprotected
Integrity

• Algorithm Identifier
• RSA / SHA-1
• DSA / SHA-1
• ECDSA / SHA-1
• MAC or HMAC
• Security Info
• algorithm parameters
• key management info
• Integrity Value
• digital signature
• MAC

1 Biometric Header
0 Biometric Header
Biometric Data (BD)
Biometric Data (BD)

• Integrity Block
• AID
• Security Info
• Integrity Value

8
XCBF Integrity ASN.1

• BiometricObject can be digitally signed, MACed
  (or HMAC), or used in CMS SignedData or CMS
  AuthenticatedData using DER or XER

Unprotected
Integrity
1 Biometric Header
0 Biometric Header
IntegrityObject SEQUENCE
biometricObject BiometricObject,
integrityBlock IntegrityBlock IntegrityBlock
CHOICE signature Signature,
mac Mac, signedData
SignedData, authenticateData
AuthenticatedData
Biometric Data (BD)
Biometric Data (BD)

• Integrity Block
• AID
• Security Info
• Integrity Value

9
XCBF Privacy

• Biometric Syntax and ASN.1 Encoding Rules (DER,
  XER)
• Privacy Option

Unprotected
Privacy

• Algorithm Identifier
• DES
• Triple DES
• AES
• Security Info
• algorithm parameters
• key management info
• Biometric Data
• encrypted data

2 Biometric Header
0 Biometric Header

• Privacy Block
• AID
• Security Info
• Biometric Data

Biometric Data (BD)
Biometric Data (BD)
Biometric Data (BD)
encrypt
10
XCBF Privacy ASN.1

• BiometricObject can be used in CMS EncryptedData,
  CMS EnvelopedData or encrypted with a named key
  using DER or XER encoding rules

Unprotected
Privacy
PrivacyObject SEQUENCE biometricHeader
BiometricHeader, privacyBlock
PrivacyBlock PrivacyBlock CHOICE
fixedKey EncryptedData, namedKey
NamedKeyEncryptedData, establishedKey
EnvelopedData NamedKeyEncryptedData
SEQUENCE keyName OCTET STRING,
encryptedData EncryptedData
2 Biometric Header
0 Biometric Header

• Privacy Block
• AID
• Security Info
• Biometric Data

Biometric Data (BD)
Biometric Data (BD)
Biometric Data (BD)
encrypt
11
XCBF Integrity Privacy

• Biometric Syntax and ASN.1 Encoding Rules (DER,
  XER)
• Integrity and authentication with privacy

1 Biometric Header
0 Biometric Header
3 Biometric Header
Biometric Data (BD)

• Privacy Block
• AID
• Security Info
• Biometric Data

Biometric Data (BD)
encrypt

• Integrity Block
• AID
• Security Info
• Integrity Value

• Integrity Block
• AID
• Security Info
• Integrity Value

generate digital signature
12
XCBF Integrity Privacy ASN.1

• Biometric Syntax and ASN.1 Encoding Rules (DER,
  XER)
• Integrity and authentication with privacy

1 Biometric Header
3 Biometric Header
PrivacyAndIntegrityObject SEQUENCE
biometricHeader BiometricHeader, privacyBlock
PrivacyBlock, integrityBlock
IntegrityBlock Represented in XML
as ltPrivacyAndIntegrityObjectgt
ltbiometricHeadergt ... lt/biometricHeadergt
ltprivacyBlockgt ... lt/privacyBlockgt
ltintegrityBlockgt ... lt/integrityBlockgt lt/PrivacyAn
dIntegrityObjectgt

• Privacy Block
• AID
• Security Info
• Biometric Data

Biometric Data (BD)
encrypt

• Integrity Block
• AID
• Security Info
• Integrity Value

• Integrity Block
• AID
• Security Info
• Integrity Value

13
Useful Links

• XCBF and X9.84 rely heavily on ITU-T SG17
  Technologies.ASN.1 X.680 and X.690 - Directory
  X.500 Standards

Module Database http//www.itu.int/ITU-T/asn1/dat
abase/index.html Syntax Checker and
Books http//www.ossnokalva.com/ Recommendations
http//www.itu.int/ITUT/studygroups/com17/language
s/index.html Host ftp//ties.itu.int
login asn1 password notation1 Griffin
Consulting -Secure Messaging Design, Tools and
Services http//ASN-1.com/