Date post: | 13-Jul-2015 |
Category: |
Documents |
Upload: | cornel-hartmann |
View: | 12 times |
Download: | 0 times |
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 1/18
ANSI X9.84
Biometric Management and Security for the Financial Services Industry
Jeff Stapleton, chair KPMG [email protected]
Judith Markowitz J. Markowitz, Consultants [email protected]
ANSI X9F4 Working Group
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 2/18
X9F4Working Group November 8, 2000 2
What is X9.84? ± Standard of the American National Standards Institute
(A NSI)
± Focuses on management of the biometric data across its
life cycle
± Covers enrollment, verification, and identification
± Primary industry focus is financial services
± Developed in collaboration with other standards efforts
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 3/18
X9F4Working Group November 8, 2000 3
Where Does X9.84 Fit? ISO
Accredited Standards Committee
Financial Services Industry
NCITS B10Identification Cards and Related Devices
www.ncits.org
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 4/18
X9F4Working Group November 8, 2000 4
Where Does X9.84 Fit? A N
SIwww.x9.org
X9A - Retail Banking SubcommitteeX9B - Check Processing Subcommittee
X9D - Securities SubcommitteeX9F - Information and Data Security Subcommittee
X9F1 - Cryptographic Tools
X9F3 - Cryptographic Protocols
X9F4 - Cryptographic Applications
X9.84 Biometric Management and Security for the Financial
Services Industry
X9F5 - Certificate Policy and Procedures
X9F6 - Cardholder Authentication and ICC
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 5/18
X9F4Working Group November 8, 2000 5
Interested ISO Committees
Technical Committee 68 - Financial Industry
Subcommittee 2 - Information Security
J
oint Technical Committee One (J
TC1) ISO/IECSubcommittee 17 - Passports and Identification Cards
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 6/18
X9F4Working Group November 8, 2000 6
Collaborative Standards Activities
www.bioapi.org
Biometric API - Vendor, biometric, and operating system independent API.
Version 1.0 released April, 2000. Participants from biometrics industry,software developers, and system integrators.
www.nist.gov/cbeff Common Biometric Exchange File Format - enable interoperability of
biometric-based application programs and systems from different vendors
BioAPIBioAPI
CBEFFCBEFF
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 7/18
X9F4Working Group November 8, 2000 7
Collaborators
X9.84
BioAPIBioAPI NIST/ITLCBEFF
Common
Biometric
Exchange
File
Format
Biometric
Service
Provider
(BSP)
API
NCITS B10
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 8/18
X9F4Working Group N
ovember 8, 2000 8
Other Standards Activitieswww.ectf.org
Enterprise Computer-Telephony Forum (ECTF) Speaker Recognition Resource
for the ECTF¶s S.100 Interface. They have an architecture for computer-telephony. S.100 is the API of the architecture.
www.iosoftware.comMicrosoft & I/O Software API API for computing devices
Speaker Verification API (SVAPI) disbanded
BAPIBAPI
SVAPISVAPI
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 9/18
X9F4Working Group N
ovember 8, 2000 9
What is X9.84? ± Security of biometric data across its life cycle
± Management of the biometric data across its life cycle
± Usage of biometric technology for identifying andauthenticating banking customers and employees
± Application of biometric technology for physical and
logical access controls
± Encapsulation of biometric data
± Techniques for securely transmitting biometric data
± Security of the physical hardware used throughout the
biometric life cycle
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 10/18
X9F4Working Group N
ovember 8, 2000 10
Security ServicesConfidentiality
protection of data against unauthorized disclosure
Authentication protection against unauthorized access / authorization to data
Integrity protection of data against unauthorized modification / substitution
Non-repudiation Authentication and Integrity provable to a third party
Access Control = Authentication + Authorization
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 11/18
X9F4
Working Group N
ovember 8, 2000 11
Security Requirements1. The biometric system must prevent captured biometric data
from being introduced into the system through fake,
system-attached, biometric capture devices.
2. The biometric system must ensure that biometric data can
be introduced into the system only through authorized
interfaces using prescribed procedures
* Source: A Biometric Standard for Information Management and Security
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 12/18
X9F4
Working Group N
ovember 8, 2000 12
Security Requirements3. The biometric system must implement protection
mechanisms (controls and procedures) to detect or deter
the synthetic biometric feature attack
4. Where necessary, the biometric system must implement
protection mechanisms (controls and procedures) to
prevent the exposure or loss of biometric data
* Source: A Biometric Standard for Information Management and Security
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 13/18
X9F4
Working Group N
ovember 8, 2000 13
Security Requirements
5. The biometric system must implement protection
mechanisms (controls and procedures) to ensure that the
enrollment process is a well-defined
6. The biometric system must restrict access to the templates;
± it must restrict the ability of an attacker to reconstruct the template
database from intercepted biometric data (samples or templates);
± it must restrict the ability of an attacker to issue verification
requests against data in the template database
* Source: A Biometric Standard for Information Management and Security
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 14/18
X9F4
Working Group N
ovember 8, 2000 14
X9.84 Approach
Biometric data should be managed so that
± integrity is highest security requirement
± unauthorized disclosure of biometric data should notcompromise the system or the individual
NOTE
Biometric data are not inherently confidential or secret .
Therefore, biometric data may still be encry pted to protect
the system for reasons of individual privacy issues
* Source: X9.84 Biometric Information Management and Security
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 15/18
X9F4
Working Group N
ovember 8, 2000 15
X9.84 Requirements1. Mechanisms « to maintain the integrity of biometric data and
verification results between any two components:
y Cryptographic mechanisms such as a digital signature,
y physical protection where no transmission is involved and all components residewithin the same tamper resistant unit
2. Mechanisms « to authenticate the source of the biometric data
and verification results, between the sender and receiver
component:
y Cryptographic mechanisms such as a digital signature
y Using physical protection where no transmission is involved and all componentsreside within the same tamper resistant unit
3. If desired, mechanisms « to ensure the confidentiality of the
biometric data during transmission
* Source: X9.84 Biometric Information Management and Security
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 16/18
X9F4
Working Group N
ovember 8, 2000 16
X9.84 Architecture
Architecture
± A is storage only, all other components are external ± B input device and application are external ± C includes all components and application
MatchingSignal
Processing
Data
CollectionStorage
Decisionadaptation
Application Yes/No
Score A
BC
* Source: X9.84 Biometric Information Management and Security
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 17/18
X9F4
Working Group N
ovember 8, 2000 17
What Is X9.84 Current Status?
± Work started in 1998
± Approved by X9F4 in April 2000
± Sent to X9 for a vote
± 30 day public review
± A NSI is going to submit X9.84 for new ISO standard
± New ISO working group (WG10) created to review
X9.84. US will chair it and UK, Germany, Japan, and
(maybe) Canada are among the participants.
5/12/2018 Ref_14_18p_Biometric Management and Security for the Financial Sevices Industy-X984 - slidepdf.com
http://slidepdf.com/reader/full/ref1418pbiometric-management-and-security-for-the-financial-sevices-industy-x984 18/18
X9F4
Working Group N
ovember 8, 2000 18
Contact Information
[1] X9F4 Judith Markowitz [email protected]
Jeff Stapleton [email protected]
[2]ANSI X
9
www.x9.org
[3] NCITS B10 www.ncits.org
[4] Common Biometric Exchange File Format (CBEFF) www.nist.gove/cbeff
[5] BioAPI www.bioapi.org
[6] Biometric Consortium www.biometrics.org
[7] International Biometric Industry Association (IBIA) www.ibia.org
[8] Enterprise Computer-Telephony Forum (ECTF) www.ectf.org
[9] BAPI www.iosoftware.com