1. Biometric Information Security Management Phillip H. Griffin Information Security Consultant GRIFFIN Consulting

2. Biometric Security Standards X9.84 - 2010 Biometric Information Management and Security Industry neutral information security standard Financial services specific use cases Became a US national standard in 2003 Revised 2009 Wells provided editor; Griffin created secure abstract schema Selectively incorporates ISO 19092 improvements ISO 19092 Extends & internationalizes X9.84-2003 McCormick, US expert; Griffin, standard editor Omitted important X9.84 technical content Omitted schema for practical implementation 2

3. Biometric Security Standards Content X9.84 ISO 19092 Biometrics Overview & Tutorial Technical Considerations & Architecture Biometric Information Security Management Cryptographic Controls and Techniques Physical Controls ASN.1 Schema (compact binary & XML markup) Secure Biometric System Event Journal 3

4. Biometric Security StandardContent X9.84 ISO 19092Audit Checklist (BVCO) Match Decision Protocol ISO 8583 Retail Message Extension Data Flow Diagrams & Descriptions Security Considerations Public Policy Considerations Business Use Cases 4

5. X9.84 A Biometrics TutorialBiometric Technology Overview Basics Biometric identification leverages the universally recognized fact that certain physiological or behavioral characteristics can reliably distinguish one person from another Biometric Types Fingerprint (Voice, Signature, Iris, Retina, Face, ) The pattern of friction ridges and valleys on an individuals fingertips is considered unique to that individual. 5

6. X9.84 Authentication System ComplianceBiometric System Auditor Checklist Biometric Validation Control Objectives Environmental Controls A biometric system within or employing an IT infrastructure requires these controls for a secure implementation Key Management Lifecycle Controls Needed when a biometric system employs cryptographic protection, e.g., digital signatures for data integrity & origin authentication, and encryption for confidentiality Biometric Information Lifecycle Controls A biometric system enrolls individuals by capturing biometric data to generate, distribute, use, and eventually terminate templates, similar to a PKI. 6

7. X9.84 Authentication System ComplianceBiometric System Event Journal Shows that an organization provides reasonable assurance that environmental, key management lifecycle, and biometric information life cycle events are accurately and completely logged that the operation of the biometric system meets the control objectives Confidentiality & integrity of current & archived event journals maintained Complete event journals are securely and confidentially archived in accordance with disclosed business practices Event journals are reviewed periodically by authorized personnel 7

8. Extending Biometric Template InformationBiometric Template Attributes Attributes can be bound to a template using a detached signature. Detached signatures are stored separately from the template itself. Detached signatures do not interfere with template use by a biometric service provider, say during the biometric matching process. Signature verification of information security management attributes that are cryptographically bound to a biometric reference template can be performed by another application process, perhaps by a Web Service. 8

9. Biometric Security Management Attributes fingerprint iris 2 -- Two factor authentication 3 -- Lock after 3 bad tries 1.2.3.4 http://phillipgriffin.com/policy/99 9

10. Binding Security Attributes to Reference Templates 2 BSP Detached signatures can bind security and Database privacy attributes to biometric templates . 10

11. Biometric Security Management Layer Identity and Access Management BSP User Auth IAM / BSP API Biometric Security Password Management Application Event JournalUser BSM PKI Signed Attributes 11

12. For a Deeper Dive ANSI X9.84 : 2010 - Biometric Information Management and Security ANSI X9.73 : 2010 - Cryptographic Message Syntax (CMS) ASN.1 and XML ISSA Journal, January 2007: ISO 19092: A Standard for Biometric Security Management 12