ISO/IEC JTC 1 SC 37

Fernando L. Podio, SC Chair

Lisa Rajchel, SC Secretariat

2012 JTC 1 Plenary

Biometrics – Now and Then

For decades, biometric technologies were used primarily in law enforcement applications. Currently they are used on a number of identification and verification applications (e.g.):

Increasing number of global government projects

Financial/Healthcare/Educational applications/Entertainment

Personal security and convenience

2

3

Now and Then – Same Customers’ Needs

Verification of the users’ identity is one of the critical

issues related to secured IT systems and applications.

Biometrics provides for secure transactions, positive

identification and augmentation to human judgment.

The relationship between a biometric characteristic and

the users of a system or application provides a binding

that is stronger than the binding that can be achieved

between a user and other technologies that are currently

in use for “personal authentication”.

? ? ? ? ?

How many PINs/passwords can you remember?

Work Computers

Desktop

Mail server

Laptop computer

ID Badge

Personnel System

Door Access device

Business ATM card

IT services

Mobile devices

Home/Personal Bank

ATM card(s)

Spouse’s ATM card

Telephone access

Telephone

Cell phone

Internet

Airlines, Travelocity

Amazon.com

Mutual funds

Alarm System

Mobile devices Application markets

Online storage

5

Before SC 37 and 9/11

Before SC 37 and 9/11, biometric standards work was conducted at the national level and by International Consortia (examples):

E.g., ANSI/NIST standards in the USA, Biometric Profiles (e.g. FBI)

NIST/Biometric Consortium Interoperability, Assurance and Performance WG (international participation)

CBEFF (NISTIR 6529)

BioAPI Consortium (international participation) – Now an SC 37 Liaison Organization.

BioAPI Specification

TeleTrust Deutschland (Interoperability, Security)

ANSI X9 (Biometric Manag. & Security – X9.84 -2000)

6

NISTIR 6529

NISTIR 6529-A

ANSI INCITS 398-2005

ISO/IEC 19785-1

Jan 2001

Apr 2004

Feb 2005

May 2006

Workshop – Feb 1999

Rev. 1, 2008

Parts 2,3,4

Common Biometric Exchange Formats Framework (CBEFF) – Evolution*

Defines a common structure and set of metadata elements for exchanging biometric information.

Header (SBH)

Biometric Data Block (BDB)

(e.g. Finger, face, iris image)

Security Block (SB) - optional

CBEFF formats are registered with the Biometric Registration Authority (IBIA). Now an SC 37 Liaison Organization.

* “Biometric Interface Standards – What's New and What's Relevant?”, Catherine J. Tilton, Biometric Consortium conference, September 2012

7 7

Who is Using CBEFF?

ISO/IEC 19785 Parts:

19785-1: Elements

19785-2: Registration

Authority Procedures

19785-3: Patron Formats

19785-4: Security Block

Formats

CBEFF Instantiations

separate from Part 3):

BioAPI

ISO/IEC 7816-11

ICAO 9303 (ePassports)

PIV (SP800-76)

India UID

BIAS

Biometric

Device

Biometric

Device

Biometric

Device

Biometric Data

Structure

Conforming

to CBEFF

Framework Conforming to the BioAPI Standard

Application1

(Conforming to Biometric Application Profiles)

Biometric

Service

Provider (BSP)

Biometric

Service

Provider (BSP)

Biometric

Service

Provider (BSP)

BSP Conforming to

Biometric Data

Interchange Format

Standards

Application2

Layered Set of Standards in Support of Biometric Interoperability & Data Interchange

9

HA-API BioAPI

1.0

BioAPI

1.1

ANSI

INCITS

358

ISO/IEC

19784-1

BioAPI™

Consortium

BioAPI Evolution*

BioAPI defines an open system standard API that allows software applications to communicate with a broad range of biometric technologies in a common way

* “Biometric Interface Standards – What's New and What's Relevant?”, Catherine J. Tilton, Biometric Consortium conference, September 2012

10

ISO version (ISO/IEC 19784, Ver 2.x) – Part 1 was originally

specified in “C” interface

Amd1: BioGUI

Amd2: Frameworkless

Amd3: Security

Part 2: Archive Function Provider Interface (FPI)

Part 4: Sensor FPI

Conformance Test Methodology (24709, 3 parts)

Tenprint capture using BioAPI (29141)

BioAPI Interworking Protocol (BIP, 24708)

Embedded BioAPI (29164)

Object Oriented BioAPI (30107, 3 parts) – Java/C#

(Part 5: Processing algorithm function provider interface, Part 6: Matching

algorithm function provider interface)

Over 40 companies list compliant products on www.bioapi.org

Example implementation: Japan Border Control System

BioAPI Evolution

• ANSI/NBS & ANSI/NIST Standards

11

• SC 37 was established

Biometric Data Interchange Formats Before (Examples) and After SC 37

• CBEFF Project Initiated

• Potential for fingerprint template

workshop

• American Association for Motor Vehicle

Administration (AAMVA) - AAMVA

DL/ID 2000 (included a format for

fingerprint imaging/minutiae record)

• First ANSI/INCITS biometric data formats

published (finger minutiae/pattern,

finger/iris image data formats)

• First ISO/IEC biometric data

formats published (finger minutiae,

finger/face/iris image data formats)

ISO/IEC 19794-1:2006 – Part 1: Framework

First Generation of ISO/IEC Biometric Data Interchange Formats

and Related Conformance Testing Methodology (CTM) Standards

ISO/IEC 29109-1:2009 – Part 1: Generalized conformance testing methodology (CTM)

AMD: Amendment

WD: Working Draft

CD: Committee Draft

DIS: Draft International Standard

Level 3

(semantic)

CTM

Binary

encoding

CTMs are

separate

standards

ISO/IEC 19794-1:2011 AMD 1 Conformance testing methodology (bin. encoding) – FDAM 1

WD: Working Draft / DIS: Draft International Standard / FDIS: Final Draft International Standard

DAM: Draft Amendment / PDAM: Proposed Draft Amendment/DAM: Draft Amendment/FDAM Final Draft Amendment

Updated from Dr. Busch’s BCC 2010 Presentation: “Status and Trends for Biometric Data Interchange Formats Standardization” and SC 37/WG 3 Roadmap

ISO/IEC 19794-1:2011, Part 1 Framework 19794-1:2011 Framework XML – 2nd PDAM 2

Binary encoding

XML encoding

Second Generation of ISO/IEC Biometric Data Interchange

Formats and Related CTM Standards

Biometric Data

Interchange

Formats

Logical Data

Formats Frameworks

Biometric Data

Security Attributes

Biometric Technical

Interfaces

Biometric System

Properties

Cross Jurisdictional

& Societal Aspects

Harmonized

Biometric Vocabulary

SC 37

SC 17 Token Based

SC 37 (e.g. APIs, Conform.)

SC 37 Biometric Profiles

SC 27 Security Evaluation

SC 37 Performance Evaluation

SC 27 (e.g. Confidentiality,

Integrity)

SC 37 (e.g. CBEFF BIRs)

SC 37 (data formats for a

number of modalities,

sample quality, conformance,

liveness data)

JTC 1 Biometric Standards Activities

What is New

1.37. 29164-AMd. 1: Embedded BioAPI – AMD 1: Security Mechanisms for Embedded BioAPI)

Will add an informative annex that will serve as a guide for developers to implement those security mechanisms.

Two revision projects:

ISO/IEC 24709-1 Rev Conformance testing for the biometric application programming interface (BioAPI) -- Part 1: Methods and procedures

ISO/IEC 24709-2 Conformance testing for the biometric application programming interface (BioAPI) -- Part 2: Test assertions for BSPs

15

1.37.19784-5: Biometric application programming interface – Part 5: Biometric processing algorithm function provider interface

Specifies a low-level interface that enables a BioAPI Biometric Service Provider to interact with a biometric processing algorithm function provider from a different vendor, using only the specification of the standardised interface.

1.37.19784-6: Biometric Application Programming Interface – Part 6: Biometric matching algorithm function provider interface

Specifies a biometric matching algorithm interface for a BioAPI Biometric Service Provider. Will provide an interface that can be used by all types of biometric feature matching algorithms. It will also support fusion on score and decision level.

16

What is New (Cont.)

17

ISO/IEC 19794-4 Amendment 2 – Finger image XML Encoding

This annex defines the schema that shall be used to validate xml finger image records encoded in an xml format. It documents an example xml document and the use of a validating tool for an encoded finger image record.

It will refer to requirements of 19794-4 (Biometric data interchange formats – Part 4: Finger image format) except for encoding details, and 19794-1 Amd. 2 (Framework for XML encoding).

The project was extended to Parts -2 (finger minutiae), -5 (face image), -6 (iris image), -7 (signature/sign time series) and -9 (Vascular image)

17

What is New (Cont.)

1.37.24779-4 (IS) on Pictograms, Icons and symbols for use with Biometrics Systems – Part 4: Face

Will describe a set of symbols, icons and pictograms to help the general public understand the concepts and procedures for using electronic systems that collect and/or evaluate facial images.

ISO/IEC 19795-2 Biometric performance testing and reporting – Part 2: Testing methodologies for technology and scenario Evaluation Amendment 1: Testing of multi-modal biometric

Specifies how to evaluate and report performance of multi-modal biometric expanding and complimenting ISO/IEC 19795-Part 2, Testing methodologies for technology and scenario evaluation.

18

What is New (Cont.)

19

1.37.30124 (IS) on Code of practice for the implementation of a biometric system

Will specify provision of recommendations and guidance for the implementation of a biometric system (e.g. assessing the need, planning for the implementation of a biometric system, acceptance testing operation).

1.37.30125 (TR) Use of Mobile Biometrics for Personalization and Authentication

Will provide guidance as to the elements required in developing frameworks for the platforms to ensure a consistent and secure method of biometric authentication in a mobile environment.

The frameworks (considered to operate across a variety of platforms) will address methods and approaches to remote and unsupervised enrolment, storage & communication of biometric data, for a variety of online connected and offline modes.

19

What is New (Cont.)

20

Participants 28 P-Members and 13 O-members

Standards published Nineteen standards (including amendments and corrigendum)

SC’s PoW Twenty-nine projects subdivided into one-hundred and thirty-

three subprojects (published and ongoing projects included).

SC 37 approved reactivating the liaison relationship with JTC 1 SWG on Accessibility. SC 37 forwarded “Guidance on the inclusive design and

operation of biometric systems” to SWG-A.

What is New (Cont.)

SC 37’s Participation in JTC 1’s activities SWG-Planning

AHG on Enabling Tools

AHG on Incubator Function

AHG on JTC 1 Structure

Re-established SGs to address Liaison activities with SC 17 and SC 27

Established a new SC 37 SG To prepare and coordinate SC 37 contributions and responses to

JTC 1 Subgroups and address SC 37 strategic issues between SC

37 Plenary meetings.

21

What is New (Cont.)

CEN/TC 224/WG 18 agreed at its 2012 Plenary to a liaison relationship

with SC 37 (proposed by SC 37 in 2011). CEN/TC 224/WG 18,

Interoperability of biometric recorded data. Projects:

Harmonisation and interoperability of slap-ten print capture for Biometrics

& Application profiles of international standards to satisfy European

biometrics requirements for automatic cross-boarding equipment).

SC 37 forwarded a report of its activities to CEN/TC 224/WG 18 for

information.

SC 37 approved a resolution to establish a Category C liaison

relationship between SC 37/WG4 and Frontex pending JTC1 approval.

Frontex* is interested in work related to ISO/IEC TR 29195 “Guidance for

Traveller Processes for Biometric Recognition in Automated Border

Crossing Systems” . * European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union.

22

New Liaisons

23

Noting the lack of activity between SC 37 and ISO/SCIT and SC 37

and SC 29 at its 2011 Plenary, SC 37 approved discontinuing these

liaison relationships.

However, SC 37 requested SC 29 to review draft conformance testing

methodologies for finger, face and iris image data formats,

specifically on test assertions related to JPEG2000 encoding in

biometric samples.

At it’s July 2012 Plenary, after hearing a report from the Liaison

Officer to SC 36, SC 37 concluded that the relationship between

SC 37 and SC 36 is no longer necessary.

Discontinued Liaison Relationships

User Engagement

Participation: Over 80 delegates from 15 NBs and Liaison organizations

participated in the SC 37 WG meetings held in January & July 2012.

Over 50 from 14 NBs and Liaison organizations participated in SC 37 Plenary meeting held in July 2012.

Required 50% voting participation is met or exceeded in every ballot.

Representation: System integrators

Biometric industry

Representatives from government organizations

Representatives from research and national testing laboratories

Representatives from Universities

Experts from other JTC 1/SCs and other liaison organizations

24

User Engagement (Cont.)

Requirements addressed 2G of biometric data interchange formats (e.g. XML encoding)

2G technical interfaces (e.g. BIAS, BioAPI for OO programming) reflects technology innovations and new customers’ needs.

Sample quality standards: support the path to “zero error” biometrics

New projects reflect users’ needs (e.g. standardized liveness data format – support e-applications/presentation attack detection).

Challenges Continuous support for biometric ID trends around the world (e.g.,

multi-modal, multi-applications, increased scale, data exchange, anti-spoofing, Web Services, mobile biometrics).

25

Legitimate User Fraudster ?

26

Adoption Examples - ICAO*

ICAO TAG-MRTD

ISO/IEC JTC 1/SC 17 Cards and Personal Identification

ISO/IEC JTC 1/SC 27 IT Security Techniques

ISO/IEC JTC 1/SC 37 Biometrics

ISO/IEC 7816

ISO/IEC 10373

ISO/IEC 9796

ISO/IEC 19785

ISO/IEC 9797

ISO/IEC 11770

ISO/IEC 19794

ISO/IEC 14443

* “SC 27 Business Plan for the Period October 2010 – September 2011”, presented by Dr. Fumy, SC 27 Chair at the JTC 1 Plenary meeting, San Diego, CA, USA, November 2011.

27 27

Adoption Examples – UID (INDIA)*

*

Secure Database

UID Middleware

Multi-modal ABIS Vendor

Multi-modal ABIS Vendor

Multi-modal ABIS Vendor

CBEFF Instantiation (ISO/IEC 19785-3)

Biometric Capture (ISO/IEC 19794-x) – Finger/Face/Iris

Data Standards: ISO/IEC 19794-2, -4, -5 and -6

Aadhaar: Creating

Identities for 1.2 Billion Indians

• Common platform which can be used across all applications

• E.g. Social services, micropayments, banking

http://www.ilo.org/global/lang--en/index.htm Seafarers ID Card

Other Adoption Examples

SPAIN - Requirements for two official documents

• USA – National Science and Technology Council’s Registry of

U.S. Government Recommended Biometric Standards”)

• Biometric requirements for PIV cards

Other SDOs (e.g. SC 17/SC 27, ITU-T)

28

Japan – Border Control System - BioAPI

Outreach (Ongoing)

Press releases

Articles and Books

Citing by External Sources

Conferences

University Seminars and Courses

IEEE Certified Biometrics Professional Program (CBP)

Significant Contributions from SC 37 Officers and NB experts

29

Recurrent Challenges 2002 - On

Impediments to success Adoption of biometric-based high performance,

interoperable systems depends, in part, on the timely availability of a portfolio of technically-sound biometric standards required by:

End-users and industry

Other standards bodies within JTC 1, ISO TCs, external standards organizations and other customers

SC 37 mitigates the risk through the use of IT tools, international cooperation and team work, the establishment of OWG to work in-between WG meetings, and tight program management.

30

Technical Contributions to other ongoing standards activities:

Biometric standards for verification of users’ identity in many areas (e.g., cloud computing, sensor networks, transportation, health care)

New projects Semantic conformance testing (e.g., can profit from still wider

participation from national testing laboratories, researchers).

Application profiles (e.g. more end-user participation is always welcome).

XML encoding for data interchange format standards (still more experts in this area would be beneficial).

Multi-biometric systems (have more complex performance and decision criteria).

Recurrent Challenges (Cont.)

31

Issues or Needs

Help Continuous additional help advertising SC 37’s work via the JTC 1

web site, JTC 1 meetings with other standards organizations, press releases and other means is always welcome.

Training Periodically Editors’ Training is offered – Next planned to be

collocated with the SC 37/WG meetings in Winchester, UK, April 2013.

32

Program priorities Will continue to seek information from customers on how to further

support users’ communities interested in the use of biometrics for personal verification and identification applications.

2013

New directions – Examples: Development of data interchange formats using XML encoding

Semantic conformance testing for biometric data interchange formats

Requirements for performance testing methodology standards for multi-biometric systems

Ongoing BioAPI for Object Oriented Programming Languages

Biometric Identity Assurance Services (BIAS)

Mobile Biometrics for Personalization and Authentication

Date/location of next SC WG/Plenary 22 - 26 April 2013 (WGs only) – Winchester, UK

13 – 21 January 2014 (WGs + Plenary) – Darmstadt, Germany

33