[PPT] - Biometric Security Roles & Resources Part 2 BIAS Cathy PowerPoint Presentation

SLIDE 1

Biometric Security – Roles & Resources

Part 2 – BIAS

Cathy Tilton – Chair, BIAS Integration TC VP, Standards & Emerging Tech, Daon

SLIDE 2

www.oasis-open.org

Biometric Identity Assurance Services (BIAS)

In reviewing the current biometric-related standards

portfolio and service oriented architecture (SOA) references, it became apparent that a gap existed in the availability of standards related to biometric services.

Biometric Applications Biometric Resources

?

ANSI/NIST-ITL 1-2000/7 ? BioAPI/BIP ? Other ?

SLIDE 3

www.oasis-open.org

Why now ?

Biometric systems and customers are becoming more

sophisticated

Increased interest in and utility of biometrics

Government & commercial, but mostly driven by the former

at present

Large, complex systems Enterprise architectures built on the SOA model & standards Emphasis on data sharing & reuse of resources/services The need for vendor independence, multiple sources

Departure from custom solutions Embracing of open systems, standards

New requirements for interoperability and flexibility

SLIDE 4

www.oasis-open.org

BIAS – Driving Requirements

Provide ability to remotely invoke biometric operations across an

SOA infrastructure, decoupling the service from the interface (and requester) that calls it.

Provide business level operations, without constraining the

application/business logic that implements those operations.

Provide basic capabilities that can be used to construct higher

level, aggregate/composite operations.

Be as generic as possible – technology, framework, and

application domain independent.

SLIDE 5

www.oasis-open.org

Context

Example Applications

Border management Credentialing Customer/subscriber identification

Example Resources

A fingerprint verification matching

server

A 1:N iris search/match engine A facial biometric watch list A criminal or civil automated

fingerprint identification system (AFIS)

A name-based biographic identity

database

An archive of biometric identifiers A population of subjects

Application Matcher Service Provider ID database

Authen. Server

SLIDE 6

www.oasis-open.org

Person-Centric and Encounter-Centric Systems

SLIDE 7

www.oasis-open.org

INCITS & OASIS Collaboration

Development of the BIAS standard requires expertise in two distinct

technology domains to ensure that the final specification provides the right structure, functionality, and technical details:

Biometrics, with standards leadership provided by INCITS M1
Service Architectures (initially focused on Web services), with standards

leadership provided by OASIS

Close collaboration between both standards organizations is required:
Existing standards are available in both domains and many of

these standards will provide the foundation and underlying capabilities upon which the biometric services depend.

Define Web services bindings:

Schema Protocol

Define “taxonomy”:

Identity assurance operations

Data elements

OASIS INCITS M1

SLIDE 8

www.oasis-open.org

Goals

BIAS will provide an open framework for deploying and invoking

biometric-based identity assurance capabilities that can be readily accessed using services-based frameworks.

BIAS will provide a generic set of biometric (and related)

functions and associated data definitions to allow remote access to biometric services.

BIAS will specify a set of patterns and bindings for the

implementation of BIAS operations using Web services within service-oriented architectures.

SLIDE 9

www.oasis-open.org

Scope 2 Primary Needs Generic Biometric Services Integrated Authentication Services

BIAS Future

SLIDE 10

www.oasis-open.org

BIAS System Context (INCITS M1)

BIAS services are modular and

independent operations which can be assembled in many different ways to support a variety of business processes.

BIAS services may be

implemented with differing technologies on multiple platforms.

BIAS services can be publicly

exposed directly and/or utilized indirectly in support of a service- provider’s own public services.

SLIDE 11

www.oasis-open.org

BIAS System Context (OASIS)

Defines an XML messaging

protocol to implement the “abstract” services specified in INCITS M1.

SOAP over HTTP

WSDL defined

Synch & Asynch operations

SLIDE 12

www.oasis-open.org

Representing biometric data

To meet BIAS goals, any type of biometric information needs to

be able to be represented and used in the services.

BIAS utilizes the existing CBEFF* standard (ISO/IEC 19785-

1:2006) to represent biometric data.

BIAS does not require any particular CBEFF patron format. BIAS implementations may support one or multiple CBEFF patron

formats.

BIAS specification includes an XML representation of CBEFF

header information.

Biometric Information Record (BIR) payload may contain

standardized or proprietary data formats

e.g., standard formats per INCITS 378, 379, 381, 385 … or ISO

19794-x.

* Common Biometric Exchange Formats Framework

SLIDE 13

www.oasis-open.org

Representing biographic data

BIAS provides flexibility for the amount and types of biographic

data supported by implementing systems.

BIAS provides two methods for representing biographic

information:

A set of individual data items (name/type/value combinations) An existing format, such as:

XML http://www.hr-xml.org/ 2.5 HR-XML HR-XML XML http://www.oasis-open.org/ 2.0 3.0 xNAL CIQ xNAL XML http://www.niem.gov/ 1.0 2.0 NIEM NIEM ASCII http://www.biometrics.dod.mil/ 1.2 EBTS EBTS Type-2 ASCII http://www.fbi.gov/ 7.1 EFTS EFTS Type-2 type source version name Biographic Data Format

SLIDE 14

www.oasis-open.org

BIAS Services

Subject
Create/delete subject
Add/remove subject from

gallery

Biographics
Set/list biographic data
Update/delete biographic data
Retrieve biographic data
Biometrics
Set/list biometric data
Update/delete biometric data
Retrieve biometric data
Searching/processing
Verify subject
Identify subject
Check quality
Classify biometric data
Perform fusion
Transform biometric data
Aggregate services
Enroll
Identify
Verify
Retrieve information
Discovery
Query Capabilities

SLIDE 15

www.oasis-open.org

Services for managing enrollments

Create Subject

creates a new subject record and associates a subject ID to that

record

Delete Subject

deletes an existing subject record and, in an encounter-centric

model, any associated encounter information from the system

Add Subject to Gallery

registers a subject to a given gallery or population group

Delete Subject from Gallery

removes the registration of a subject from a gallery or population

group

SLIDE 16

www.oasis-open.org

Services for managing information about an enrolled individual:

Set Biographic Data
associates biographic data with

a given subject record; may either replace existing data or create a new encounter

Update/Delete Biographic Data
updates/removes biographic

data from a given subject or encounter

List Biographic Data
lists the biographic data

elements stored for a subject or encounter

Retrieve Biographic Data
retrieves the biographic data

associated with a subject or encounter

Set Biometric Data
associates biometric data with a

given subject record; may either replace existing data or create a new encounter

Update/Delete Biometric Data
updates/removes biometric data

from a given subject or encounter

List Biometric Data
lists the biometric data elements

stored for a subject or encounter

Retrieve Biometric Data
retrieves the biometric data

associated with a subject or encounter

SLIDE 17

www.oasis-open.org

Services for biometric searching and processing

Verify Subject
performs a 1:1 verification

match between a given biometric and either a claim to identity in a given gallery or another given biometric

Identify Subject
performs an identification

search against a given gallery for a given biometric, returning a rank-ordered candidate list of a given maximum size

Check Quality
returns a quality score for a

given (input) biometric

Classify Biometric Data
classifies a given (input)

biometric

Perform Fusion
accepts either match score or

match decision information and creates a fused match result

Transform Biometric Data
transforms or processes a given

biometric in one format into a new target format (e.g., feature extraction, center/crop, convert data format)

SLIDE 18

www.oasis-open.org

Aggregate/composite services

Enroll
adds a new subject or a new

encounter to the system

may include and be contingent

upon a negative identification

may utilize other BIAS services
Identify
performs an identification

function according to system requirements and/or resources (e.g., search multiple galleries)

may utilize other BIAS services
Verify
performs a 1:1 verification

function according to system requirements and/or resources

may utilize other BIAS services
Retrieve Information
retrieves requested information

about a subject

may include biographic +

biometric data, and/or multiple encounters

may utilize other BIAS services

SLIDE 19

www.oasis-open.org

Asynchronous operations

Enroll
Identify
Verify
Identify Subject
Get Enroll Results
Get Identify Results
Get Verify Results
Get Identify Subject Results

SLIDE 20

www.oasis-open.org

Security

3 areas

Integrity & Authenticity Confidentiality/Privacy Access Control

Intent: Support a variety of implementation

environments

Minimum requirements

Signed XML HTTPS

Intended to be used in conjunction with other WS*

security capabilities

WS-Security, SAML, etc.

SLIDE 21

www.oasis-open.org

Process flow – border mgmt example

Start Identify Subject … Match Found? Set Biographic Data Set Biometric Data Set Biographic Data Set Biometric Data Create Subject Add Subject To Gallery Finish Finish

No Yes Save and Associate Encounter Create New Subject Known Subject?

SLIDE 22

www.oasis-open.org

Example eG use case

Registered Traveler Program

RT is a trusted passenger program to expedite

and enhance security screening of passenger participants

Travelers must apply to enroll in the program

via a service provider, which collects biographic and biometric information as part of the application process

The TSA conducts a Security Threat

Assessment on all applicants

If approved, a traveler is issued an RT card

containing authentication information

In operational use, a cardholder is verified to

ensure legitimacy using fingerprint or iris biometrics

SLIDE 23

www.oasis-open.org

RT – Functional Flow

The Enrollment Provider collects biographic and biometric information from an RT Applicant

and transmits it to the CIMS (Steps 1 and 2)

The CIMS formats and transmits the data to the TSA (Step 3).
The TSA conducts a Security Threat Assessment at application and re-vets on a perpetual

basis (Step 4) and transmits an approved or not approved finding back to the CIMS (Step 5).

The CIMS informs the Enrollment Provider of acceptance or non-acceptance (Step 6), and the

Enrollment Provider informs the RT Applicant and issues a card with the authentication payload created at the CIMS if he or she is approved (Step 7).

When an RT Participant travels through a participating airport, they use the RT card at an RT

verification station which confirms the individual’s current status in the RT program (Step 8).

SLIDE 24

www.oasis-open.org

Applying BIAS to RT – Step 1

Pre-Enrollment
Each traveler applying for an RT card may, if supported by the Enrollment

Provider, pre-enroll

This involves accessing a web-site and entering biographic data. This data

is stored for the applicant.

BIAS Services
Create Subject
Add Biographic Data

SLIDE 25

www.oasis-open.org

Applying BIAS to RT – Step 2

Enrollment
Complete the enrollment process by reviewing biographic information supplied at

pre-enrollment and collecting biometric information

BIAS Services
(EP Internal) Retrieve Biographic Data
(EP Internal ) Update Biographic Data (if any edits to biographic information)
(EP Internal) Set Biometric Data
(CIMS interface) Enroll

SLIDE 26

www.oasis-open.org

Applying BIAS to RT – Steps 3-6

Registration, Vetting Coordination, and Card Payload Generation
Submit a request to TSA for a Security Threat Assessment
BIAS Services
(CIMS internal) Create Subject
(CIMS internal) Set Biometric Data
(TSA interface) Identify
(CIMS internal) Add Subject to Gallery

SLIDE 27

www.oasis-open.org

Applying BIAS to RT – Step 7

Create Card

If all enrollment processing completes with no adverse information,

resulting in an “approval” decision, then the RT card may be issued

BIAS Services

(EP internal) Add Subject to Gallery

SLIDE 28

www.oasis-open.org

Applying BIAS to RT – Step 8

Verification

The traveler’s biometric is captured and compared against the

biometric information stored on the card

BIAS Services

(VP internal) Verify Subject

SLIDE 29

www.oasis-open.org

Example eB use case – Online Banking

Overview:

An individual has an existing bank account at XYZ Bank and would like to access

this account information and perform transactions.

In lieu of a password, the bank has configured their online banking web application

to use biometric verification.

The account holder uses a home PC with a biometric device (e.g., an iris camera)

installed.

Two situations described:

Enrollment: associated biometric information with the account
Account Access: access the account using a biometric as the method of

verification

Note: This example could also be structured using biometrics as a front-end to a traditional authentication protocol.

SLIDE 30

www.oasis-open.org

Online Banking – Enrollment

Account Holder XYZ Bank

(1) One-time biometric enrollment password (2) Verify password and initiate biometric enrollment (4) Submit biometric information [Set Biometric Data] (3a) Capture biometric information (3b) Perform local 1:1 verification

(1) The bank has issued the individual a one-time password to allow the account holder to enroll biometric information into the system. (2) The individual accesses the online banking site and selects ‘biometric enrollment’. The individual enters the account number and one-time password to access this function. Once verified, the enrollment application is initiated. (3) The individual follows the steps to capture biometric data and to perform a local 1:1 match against that data to ensure it will be matchable. (4) Once suitable data is acquired, it is submitted to the bank as an enrollment [Set Biometric Data].

SLIDE 31

www.oasis-open.org

Online Banking – Account Access

Account Holder XYZ Bank

(1) Access online banking system (3) Submit biometric information [Verify Subject] (2) Capture biometric information

(1) The account holder accesses the online banking site and enters the account

number. At this point, the individual is challenged to present a biometric (e.g.,

capture iris data). (2) The individual interacts with the device to capture the biometric data. (3) The biometric data is transmitted to the bank for verification [Verify Subject]. If the verification is successful, the bank will provide access to the transaction screens for the individual's account.

SLIDE 32

www.oasis-open.org

Status

INCITS project 1823-D, BIAS

Essentially complete Public review scheduled for July (Rev 6) Latest posted draft (Rev 5):

http://www.incits.org/tc_home/m1htm/2007docs/m1070198.pdf

OASIS document: BIAS Messaging Protocol

Working draft – WSDL complete, gaps in other areas Update needed to align with INCITS document New editors recently identified Latest draft (Ed draft 0.8): http://www.oasis-

pen.org/committees/download.php/22543/bias-1%200-biasmp-ed-

08.pdf

WSDL: http://www.oasis-

pen.org/committees/download.php/22544/bias.wsdl

Goal: Ready for review by late 2007

SLIDE 33

www.oasis-open.org

Participation

INCITS M1

http://www.incits.org/tc_home/m1.htm

OASIS BIAS TC

http://www.oasis-

pen.org/committees/tc_home.php?wg_abbrev=bias

Sponsor level members

SLIDE 34