1. Biometric Information Security Management Phillip H. Griffin
Information Security Consultant GRIFFIN Consulting
2. Biometric Security Standards X9.84 - 2010 Biometric
Information Management and Security Industry neutral information
security standard Financial services specific use cases Became a US
national standard in 2003 Revised 2009 Wells provided editor;
Griffin created secure abstract schema Selectively incorporates ISO
19092 improvements ISO 19092 Extends & internationalizes
X9.84-2003 McCormick, US expert; Griffin, standard editor Omitted
important X9.84 technical content Omitted schema for practical
implementation 2
3. Biometric Security Standards Content X9.84 ISO 19092
Biometrics Overview & Tutorial Technical Considerations &
Architecture Biometric Information Security Management
Cryptographic Controls and Techniques Physical Controls ASN.1
Schema (compact binary & XML markup) Secure Biometric System
Event Journal 3
4. Biometric Security StandardContent X9.84 ISO 19092Audit
Checklist (BVCO) Match Decision Protocol ISO 8583 Retail Message
Extension Data Flow Diagrams & Descriptions Security
Considerations Public Policy Considerations Business Use Cases
4
5. X9.84 A Biometrics TutorialBiometric Technology Overview
Basics Biometric identification leverages the universally
recognized fact that certain physiological or behavioral
characteristics can reliably distinguish one person from another
Biometric Types Fingerprint (Voice, Signature, Iris, Retina, Face,
) The pattern of friction ridges and valleys on an individuals
fingertips is considered unique to that individual. 5
6. X9.84 Authentication System ComplianceBiometric System
Auditor Checklist Biometric Validation Control Objectives
Environmental Controls A biometric system within or employing an IT
infrastructure requires these controls for a secure implementation
Key Management Lifecycle Controls Needed when a biometric system
employs cryptographic protection, e.g., digital signatures for data
integrity & origin authentication, and encryption for
confidentiality Biometric Information Lifecycle Controls A
biometric system enrolls individuals by capturing biometric data to
generate, distribute, use, and eventually terminate templates,
similar to a PKI. 6
7. X9.84 Authentication System ComplianceBiometric System Event
Journal Shows that an organization provides reasonable assurance
that environmental, key management lifecycle, and biometric
information life cycle events are accurately and completely logged
that the operation of the biometric system meets the control
objectives Confidentiality & integrity of current &
archived event journals maintained Complete event journals are
securely and confidentially archived in accordance with disclosed
business practices Event journals are reviewed periodically by
authorized personnel 7
8. Extending Biometric Template InformationBiometric Template
Attributes Attributes can be bound to a template using a detached
signature. Detached signatures are stored separately from the
template itself. Detached signatures do not interfere with template
use by a biometric service provider, say during the biometric
matching process. Signature verification of information security
management attributes that are cryptographically bound to a
biometric reference template can be performed by another
application process, perhaps by a Web Service. 8
9. Biometric Security Management Attributes fingerprint iris 2
-- Two factor authentication 3 -- Lock after 3 bad tries 1.2.3.4
http://phillipgriffin.com/policy/99 9
10. Binding Security Attributes to Reference Templates 2 BSP
Detached signatures can bind security and Database privacy
attributes to biometric templates . 10
11. Biometric Security Management Layer Identity and Access
Management BSP User Auth IAM / BSP API Biometric Security Password
Management Application Event JournalUser BSM PKI Signed Attributes
11
12. For a Deeper Dive ANSI X9.84 : 2010 - Biometric Information
Management and Security ANSI X9.73 : 2010 - Cryptographic Message
Syntax (CMS) ASN.1 and XML ISSA Journal, January 2007: ISO 19092: A
Standard for Biometric Security Management 12