Information about http://www.itl.nist.gov/div893/biometrics/documents/White%20Paper%20Roles%20for%20NIST%20FP&MH%20March11%202003.PDF
White Paper March 11,…
Pages:Language: english
Display cached document
White Paper
March 11, 2003
Fernando L. Podio Michael D. Hogan
Convergent Information Systems Division Standards Liaison
Information Technology Laboratory Information Technology Laboratory
National Institute of Standards and Technology
National Institute of Standards and Technology
Roles for the National Institute of Standards and Technology (NIST) in
Accelerating the Development of Critical Biometric Consensus Standards for
US Homeland Security and the Prevention of ID Theft
Introduction
Deploying new information technology systems for homeland security will require a comprehensive set
of both national and international technically sound standards for biometrics that meet the U.S. needs.
Over the past eighteen months, NIST has worked in close partnership with other U.S. government
agencies and industry to establish formal standards groups for biometric standards development. These
groups are actively working on accelerating the development of national and international biometric
standards which are of high relevance to the U.S. NIST has identified the critical tasks that will contribute
to the timely development of these standards. They will support significantly better, open systems
standards-based security solutions. To describe in detail NIST's current involvement in formal national
and international biometric standards, NIST has developed this white paper and a related biometric
standards development program and business plan.
Developing technically sound consensus biometric standards requires a significant effort made by all the
organizations involved. It includes participation by technical experts in the standards development
process and working with the other member organizations in the development of technical contributions
and positions. This is a labor-intensive work. Although processes for consensus IT standards development
have been streamlined in the last few years, the development of a standard can still be inherently time
consuming because of technical and business decisions needed to reach consensus.
The timely and adequate support of these efforts serves as the catalyst for ensuring the rapid
development of technically sound consensus standards. Bridging from the national to the international
work will not be an easy task. Nevertheless, this effort will be an excellent opportunity to accelerate the
deployment of standards-based biometric technologies that will meet U.S. requirements. The national
and international community and especially the U.S. need this work to be done. Time is a compelling
factor for new homeland security applications critical to the U.S. Some key standards objectives have
already been achieved and NIST is fully involved in the on-going development efforts. The work needs
to proceed at the accelerated pace required by the critical needs discussed in this paper.
NIST is involved in many capacities in biometric standard development activities. As a member
organization of formal biometric standards development bodies and biometric consortia, NIST provides
technical expertise and contributions to the creation of these drafts standards and specifications. Technical
developments in support of these consensus standards are many times required while the standards are
developed and also after the standard is approved. This includes technical activities that help to
implement the standards (e.g., reference implementations, conformance tests, evaluation procedures).
1
Responding to requests from other U.S. government agencies and industry, NIST is also providing the
leadership for the national and international bodies developing formal biometric standards. These
organizations are the InterNational Committee for Information Technology Standards (INCITS)
Technical Committee M1 Biometrics and ISO/IEC Joint Technical Committee 1 (JTC 1) Subcommittee
SC 37 - Biometrics. NIST is also one of the organizations supporting the infrastructure required for
successful development of these consensus standards. An efficient infrastructure for consensus standards
development includes providing competent leadership (e.g., chairpersons, project editors) and providing
competent administration (e.g., secretariat, web sites, ballots). In addition, NIST serves in different
capacities in multiple biometric consortia that have developed biometric specifications as described
below.
Background
Measurements, testing, and standards have long been the heart of the mission of NIST. NIST has been
working with government users and industry for more than one hundred years to develop and apply
technology, measurements, testing, and standards to support end-users and industry and promote U.S.
economic growth. In the aftermath of September 11, 2001, NIST, along with all Federal agencies, is
firmly committed to supporting our Nation's new priorities for homeland security. NIST is addressing
legislative requirements for biometric standards and conducting biometric testing under new Public
Laws, such as the U.S.A Patriot Act and the Enhanced Border Security Act. One of the key aspects of
these requirements is the acceleration of biometric standards development.
Biometric technologies are posed to become the foundation of an extensive array of highly secure
identification and personal verification solutions. In addition to supporting homeland security and
preventing ID fraud, biometric -based systems are able to provide for confidential financial transactions
and personal data privacy. Enterprise-wide network security infrastructures, employee IDs, secure
electronic banking, investing and other financial transactions, retail sales, law enforcement, and health
and social services are already benefiting from these biometric technologies. The need for standards-
based biometric technologies is apparent. To fully realize the benefits of biometric technologies,
comprehensive standards are necessary to ensure that information technology systems and applications
are interoperable, scalable, usable, reliable, and secure. NIST has made a dramatic impact, and seeks to
continue to make an impact, in the development of consensus standards for biometrics and related
technical activities such as technology testing and the development of reference implementations and
system emulations.
For decades, NIST has been involved with end-users and industry, especially within the law enforcement
community, in biometric testing and standardization. In the past five years NIST has intensified its work
in biometric standardization in support of open systems standard-based security solutions. NIST has
served as a catalyst in national and international biometric standards developments in order to support the
needs of other U.S. government agencies as well as U.S. industry. In 1999 NIST played a significant role
in the unification efforts of several industrial groups developing incompatible biometric Application
Programming Interfaces (APIs). This work led to the formation of the current BioAPI Consortium, the
development of the BioAPI specification and the approval of this specification as a formal national
standard, ANSI INCITS 358 - 2000, BioAPI v1.1. The development of a single approach specified in the
BioAPI standard promotes interoperability among applications and biometric subsystems by defining a
generic way of interfacing to a broad range of biometric technologies. NIST also led, in collaboration
with the US National Security Agency (NSA), the development of a Common Biometric Exchange File
Format (CBEFF). The development of a single approach for a biometric data structure assured biometrics
companies and their potential customers that different biometric devices and applications could exchange
information efficiently. This specification is being incorporated in U.S. government and international
2
requirements such as the technical specifications drafted by the International Civil Aviation Organization
(ICAO).
Based upon a proposal from NIST, the Executive Board of INCITS (InterNational Committee for
Information Technology Standards) established in November 2001 a new Technic al Committee M1 on
Biometrics. The purpose of M1 is to ensure a high priority, focused, and comprehensive approach in the
U.S. for the rapid development and approval of formal national and international generic biometric
standards that are critical to U.S. needs for purposes such as homeland defense and the prevention of
identity theft. M1 is developing a portfolio of data interchange and interoperability standards including
biometric data formats for finger, facial, iris and signature recognition, application profiles for
transportation workers, border crossing and point-of-sale, and a standard specifying biometrics
performance evaluation and reporting methods. In the international arena, the most critical activity of
high relevance to the U.S. is the recently formed ISO/IEC Joint Technical Committee 1 (JTC 1)
Subcommittee 37 on Biometrics. The U.S. provides the Secretariat for this new Subcommittee. The
formation of JTC 1 SC 37 was initiated and championed by the U.S. National Body to ISO/IEC JTC 1
with strong support from NIST. Other U.S. government agencies and industry have asked NIST to
provide leadership for INCITS M1 and JTC 1 SC 37. These new standards groups are providing the
needed venues for a focused and comprehensive approach to the rapid development and approval of the
required formal national and international biometric standards and will support the deployment of
biometric-based interoperable enterprise systems.
In addition to playing a leadership role in formal biometric standardization, associated testing and related
critical technical activities, NIST also partners with the biometrics community in other capacities. NIST
co-chairs with NSA the Biometric Consortium (BC) and its working groups, the NIST/BC Biometric
Interoperability Performance and Assurance Working Group and the Common Biometric Exchange File
Format Development Group. The U.S. Biometric Consortium is an organization that currently consists of
over nine hundred members representing over sixty government agencies, industry and academia. The
Biometric Consortium serves as the U.S. government focal point for research, testing, evaluation and
application of biometric -based personal verification and identification technologies. NIST co-sponsors
the Biometric Consortium conferences and biometric technical developments. The NIST/BC Biometric
Working Group has been working over the last two years to develop biometric specifications that can
now be turned over to formal standards bodies such as INCITS M1 and JTC 1 SC 37. In the last four
months the NIST/BC Biometric Working Group approved and provided to INCITS M1 three
specifications for consideration as national and international standards: (a) Biometric Template
Protection and Usage; (b) Biometric Application Programming Interface for Java Card TM; and (c) an
augmented version of the Common Biometric Exchange File Format.
NIST is also a member of the BioAPI Consortium, is a member of its Steering Committee and leads the
BioAPI Consortium's External Liaisons Working Group. BioAPI Consortium's membership consists of
over 100 organizations including biometric vendors, end-users, system developers and OEMs. NIST has
recently developed the Linux version of the BioAPI reference implementation (originally developed as a
Windows-compatible implementation) and harmonized the Linux implementation with a Unix
implementation developed by another BioAPI member organization (the International Biometric Group).
NIST is currently examining architectures for the utilization of multi-modal biometrics in large
authentication systems that are BioAPI and CBEFF-compliant.
3
NIST's Accomplishments to Date
The Biometric Consortium
The U.S. Biometric Consortium serves as the Government focal point for research, development, testing,
evaluation and application of biometric -based personal identification/verification technologies. The
membership has substantially grown in the last few years to over 900 members from government,
industry, and academia. Sixty government agencies have membership in the Consortium. The BC
organizes biometric conferences and technical workshops that are open to members and non-members. It
sponsors a web site open to members and an electronic mail discussion list for its members. The BC also
sponsors technology workshops & standards activities such as the NIST/BC Biometric Working Group
and the CBEFF development. It also sponsors other user/industry activities, as needed, to address required
research and other technical issues. The BC identifies technical areas of support to users and industry
such as research and technology evaluation efforts. NIST co-chairs the Biometric Consortium and its
Working Groups and is involved in the organization of its outreach activities including technical
workshops and the annual conferences. The BC annual conference has become the largest biometric
conference worldwide. The BC is the global clearinghouse for biometrics, is a major biometric standards
incubator and is a catalyst for enterprise integration of biometric technology.
Common Biometric Exchange File Format
In February 1999, NIST/ITL and the Biometric Consortium (BC) sponsored a Workshop to discuss the
potential for reaching industry consensus in common fingerprint template formats. The participants
identified the need for a "technology-blind" biometric format that would facilitate the handling of
different biometric types, versions, and biometric data structures in a common way. This common format
would facilitate exchange and interoperability of biometric data from all modalities of biometrics
independent of the particular vendor that would generate the biometric data. CBEFF's initial conceptual
definition was achieved through a series of Workshops co-sponsored by NIST and the Biometric
Consortium. A technical development team led by NIST and NSA then developed CBEFF. It was
published by NIST as NISTIR 6529 in January 2001. This development included efforts focused on
harmonizing the data formats among CBEFF, X9.84 (which was later approved as ANSI X9.84-2000)
and the BioAPI specification (which was later approved as an ANSI INCITS 358-2002). The
International Biometric Industry Association (IBIA) is the Registration Authority for CBEFF biometric
data formats. Further CBEFF development has continued under the NIST/BC Biometric Interoperability,
Performance, and Assurance Working. The result of this further work is an augmented version of CBEFF
recently approved by NIST/BC Biometric WG. This version is now a candidate for national and
international standardization. This revised version includes the specification of a nested structure that
accommodates biometric data from multiple biometric types such as finger, facial and iris data in the
same structure and also accommodates multiple samples of a specific biometric type and also includes a
format specifying biometric information data objects for use within smart cards or other tokens. This
format has been defined with the collaboration of technical experts from ISO/IEC JTC 1 SC 17 WG 4
and INCITS Technical Committee B10 ID Cards and Related Devices.
NIST/BC Biometric Interoperability, Performance and Assurance Working Group
Over two years ago, NIST in cooperation with the U.S. Biometric Consortium (BC) established the
NIST/BC Biometric Interoperability, Performance and Assurance Working Group to support
advancement of technically efficient and compatible biometric technology solutions on a national and
international basis and to promote and encourage exchange of information and collaborative efforts
between users and private industry in all things biometric. In the last two years over 100 organizations
4
(government, industry and academia) contributed to the work of this organization. Recently the NIST/BC
WG completed and approved three specifications that were delivered to the InterNational Committee for
Information Technology Standards M1 - Biometrics for further standardization as national and
international standards. They will also be issued as NIST publications. These specificationsare: (a) the
augmented version of CBEFF; (b) a specification that defines biometric template protection and usage
techniques; (c) a biometric Application Programming Interface for Java Card (developed in cooperation
with the Java Card Forum). The NIST BC WG is currently working in specifying biometric security
techniques of interest to both end-users and the industry.
The BioAPI Consortium
The BioAPI Consortium was formed to develop a widely available and widely accepted Application
Programming Interface to serve any type of biometric technology. Harmonization efforts that took place
in 1999, sponsored by NIST and the Biometric Consortium resulted in a single industry standard for
biometrics developed by the BioAPI Consortium. Version 1.0 of the Specification was approved by the
membership and published in March 2000. Version 1.1 of both the specification and the reference
implementation were released in March 2001. The implementation of BioAPI-compliant solutions allows
for: (a) easy substitution of biometric technologies; (b) the utilization of biometric technologies across
multiple applications; (c) easy integration of multiple biometrics using the same interface (the BioAPI
interface) and (d) rapid application development. Utilization of open systems standards such as the
BioAPI specification allows for increasing competition (which tends to lower development and
implementation costs). Fast track approval of the BioAPI specification as an ANSI INCITS standard was
achieved through INCITS. BioAPI was approved as an standard (ANSI INCITS 358-2002) in February
2002. NIST is a member of the BioAPI Consortium Steering Committee and Chairs the External Liaisons
Working Group which was responsible for identifying rapid mechanisms to fast track the BioAPI
specification as an ANSI INCITS standard.
National Standards Activities
In response to new requirements for biometric standards after the events of 9/11, the Executive Board of
the InterNational Committee for Information Technology Standards (INCITS) established Technical
Committee M1 on Biometrics in November 2001. INCITS M1 is also the U.S. Technical Advisory Group
(TAG) to the international subcommittee in biometrics Joint Technical Committee 1 Subcommittee 37.
Therefore, M1 represents the U.S. internationally in biometrics. M1 also has maintenance responsibility
for the BioAPI standard. INCITS M1 is developing a portfolio of data interchange and interoperability
standards and also intends to elevate consortia standards to national and international standards. Two
candidates for INCITS fast track through M1 include the augmented version of CBEFF and the biometric
Application Programming Interface for Java Card developed by the NIST/BC Biometric WG as discussed
above. M1 has over 50 member organizations. NIST participates in the INCITS Executive Board, and
chairs INCITS M1 and it's Application Profile Ad-Hoc Group. Current projects under M1 development
include:
o Finger Minutiae Format for Data Interchange
o Finger Pattern-Based Interchange Format
o Face Recognition Image Format for Data Interchange
o Finger Image Interchange Format
o Iris Image Format for Data Interchange
o Signature/Sign Image-Based Interchange Format
o Biometric Application Profile - Verification & Identification of Transportation Workers
o Biometric Application Profile - Personal Identification for Border Crossing
5
o Biometric Application Profile Biometric Verification in Point-of-Sale Systems
o Biometric Performance Testing and Reporting
International Standards Activities of High Relevance to the U.S.
Post September 11th, many have expressed support for the urgent need for rapid formal international
biometric standardization. There was widespread recognition that there was a great deal of work to be
done in generic biometric standardization. Within ISO/IEC, Joint Technical Committee 1 (JTC 1)
approved the establishment of a new SC 37 for biometrics in June 2002. The establishment of this new
Subcommittee for biometric standardization provides a venue to exploit the present window of
opportunity to accelerate and harmonize international biometric standardization. This harmonization is
necessary to support standards based systems and applications that are interoperable, scalable, reliable,
and secure. The formation of JTC 1 SC 37 was initiated and championed by the U.S. National Body to
ISO/IEC JTC 1 with strong participation from NIST. Other Federal agencies and U.S. industry have
asked NIST to provide leadership for JTC 1 SC 37. JTC 1 SC 37 met for the first time on December 11-
13, 2002 in Orlando, Florida and the NIST candidate was endorsed by SC 37 to chair the SC for the next
three years. The U.S. is also responsible for providing the SC 37 Secretariat and NIST has committed to
seeing that this critical service is provided. Approximately seventy National Body delegates from 17
countries, prospective liaisons, and other JTC 1 SC chairs attended the inaugural meeting of SC 37. The
current scope of work is the standardization of generic biometric technologies pertaining to human beings
to support interoperability and data interchange among applications and systems. Generic human
biometric standards include: common file frameworks; biometric application programming interfaces;
biometric data interchange formats; related biometric profiles; application of evaluation criteria to
biometric technologies; methodologies for performance testing and reporting and cross jurisdictional and
societal aspects. SC 37 established a Special Group/Study Group structure to progress its work:
o Special Group on Biometric Data Interchange Formats
o Study Group on Profiles for Biometric Applications
o Special Group on Biometric Technical Interfaces
o Special Group on Biometric Testing and Reporting
o Special Group on Harmonized Biometric Vocabulary and Definitions
o Study Group on Cross-Jurisdictional and Societal Aspects
The U.S. TAG to JTC 1 SC 37 (INCITS M1) submitted multiple contributions to the JTC 1 SC 37 work
including working drafts of its national projects, the BioAPI specification and the augmented version of
CBEFF. NIST chairs the SC and provided the convener for the SC 37 Biometric Profiles Study Group.
6