SANS 19092-2009 Financial services - Biometrics - Security framework《金融服务 生物测定学 安全框架》.pdf

1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA

2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any

3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-22934-4 SANS 19092:2009Edition 1 ISO 19092:2008Edition 1SOUTH AFRICAN NATIONAL STANDARD Financial services Biometrics Security framework T

4、his national standard is the identical implementation of ISO 19092:2008 and is adopted with the permission of the International Organization for Standardization. Published by SABS Standards Division 1 Dr Lategan Road Groenkloof Private Bag X191 Pretoria 0001Tel: +27 12 428 7911 Fax: +27 12 344 1568

5、www.sabs.co.za SABS SANS 19092:2009 Edition 1 ISO 19092:2008 Edition 1 Table of changes Change No. Date Scope National foreword This South African standard was approved by National Committee SABS TC 168, Financial services, in accordance with procedures of the SABS Standards Division, in compliance

6、with annex 3 of the WTO/TBT agreement. This SANS document was published in July 2009. Reference numberISO 19092:2008(E)ISO 2008INTERNATIONAL STANDARD ISO19092First edition2008-01-15Financial services Biometrics Security framework Services financiers Biomtrie Cadre de scurit SANS 19092:2009This s tan

7、dard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 19092:2008(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces w

8、hich are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems

9、Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely even

10、t that a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2008 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mech

11、anical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.is

12、o.org Published in Switzerland ii ISO 2008 All rights reservedSANS 19092:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 19092:2008(E) ISO 2008 All rights reserved iiiContents Page Foreword. v Introduction . vi 1 Scope . 1 2 Conforman

13、ce. 2 3 Normative references . 2 4 Terms and definitions. 2 5 Symbols and abbreviated terms . 8 6 Biometric technology overview. 9 6.1 General. 9 6.2 Fingerprint biometrics 9 6.3 Voice biometrics . 10 6.4 Iris biometrics . 10 6.5 Retina biometrics 11 6.6 Face biometrics. 11 6.7 Hand geometry biometr

14、ics 11 6.8 Signature biometrics 12 6.9 Vein biometrics . 12 7 Technological considerations . 12 7.1 Biometric system properties . 12 7.2 Universality 13 7.3 Distinctiveness 13 7.4 Accuracy 14 7.5 Performance evaluation . 15 7.6 Interoperability 17 8 Basic principles of biometric architectures.17 8.1

15、 Biometric system model 17 8.2 Data collection subsystem 18 8.3 Transmission subsystem. 18 8.4 Signal processing subsystem . 18 8.5 Matching subsystem 19 8.6 Decision subsystem . 20 8.7 Storage subsystem. 20 8.8 Portable tokens . 20 9 Management and security requirements 21 9.1 Basic applications 21

16、 9.2 Core security requirements . 21 9.3 Enrolment 22 9.4 Verification 23 9.5 Identification 24 9.6 Transmission and storage . 25 9.7 Termination and archiving. 26 9.8 Compliance and event journal. 27 10 Security infrastructure . 27 10.1 Components 27 10.2 Physical techniques . 28 11 Biometric valid

17、ation control objectives 29 SANS 19092:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 19092:2008(E) iv ISO 2008 All rights reserved11.1 Periodic review and audit considerations 29 11.2 Environmental controls 30 11.3 Key management li

18、fe-cycle controls. 41 11.4 Biometric information life cycle. 45 Annex A (informative) Event journal. 54 Annex B (normative) Biometric enrolment 58 Annex C (normative) Security considerations 60 Annex D (normative) Security requirements for biometric devices 72 Annex E (informative) Existing applicat

19、ions 75 Bibliography . 77 SANS 19092:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 19092:2008(E) ISO 2008 All rights reserved vForeword ISO (the International Organization for Standardization) is a worldwide federation of national s

20、tandards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International

21、organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules gi

22、ven in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least

23、 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 19092 was prepared by Technical Committee ISO/TC 68, F

24、inancial services, Subcommittee SC 2, Security management and general banking operations. This first edition of ISO 19092 cancels and replaces ISO 19092-1:2006, of which it constitutes a minor revision, notably to remove references to the ISO 19092-2 project. SANS 19092:2009This s tandard may only b

25、e used and printed by approved subscription and freemailing clients of the SABS .ISO 19092:2008(E) vi ISO 2008 All rights reservedIntroduction This International Standard replaces ISO 19092-1:2006. When ISO 19092-1:2006 was published, it was expected that a second part of ISO 19092 (ISO 19092-2, Fin

26、ancial services Biometrics Part 2: Message syntax and cryptographic requirements) would subsequently be published. However, ISO 19092-2 was not completed due to a lack of consensus. As a result, ISO 19092-1:2006 has been updated into this International Standard, removing all references to ISO 19092-

27、2 and incorporating some minor editorial corrections. Business practice has changed with the introduction of computer-based technologies. The substitution of electronic transactions for their paper-based predecessors has reduced costs and improved efficiency. Trillions of dollars in funds and securi

28、ties are transferred daily on systemically important payment systems and other financial systems by telephone, wire services and other electronic communication mechanisms. The high value or sheer volume of such transactions within an open environment exposes the financial community and its customers

29、 to potentially severe risks from accidental or deliberate alteration, substitution or destruction of data. Interconnected networks, and the increased number and sophistication of malicious adversaries compound this risk. The inevitable advent of electronic communications across uncontrolled public

30、networks, such as the Internet, is also increasing risk to the financial industry. The necessity to expand business operations into these environments has elevated the awareness for strong authentication and created the need for alternate forms of authentication. The financial community is respondin

31、g to these needs. Biometrics, the “something you are or are able to do” identity factor, has come of age, and includes such technologies as finger image, voice identification, eye scan and facial image. The cost of biometric technology has been decreasing while the reliability has been increasing, a

32、nd both are now acceptable and viable for the financial industry. This International Standard describes adequate controls and proper procedures for using biometrics as an authentication mechanism for secure remote electronic access or local physical access controls for the financial industry. Biomet

33、rics can be used for human authentication for physical and logical access. Logical access can include access to applications, services, or entitlements. This International Standard promotes the integration of biometrics into the financial industry, and the management of biometric information as part

34、 of the overall information security management programme of the organization. It positions biometric technology to strengthen public key infrastructure (PKI) for higher authentication by providing stronger methods as well as multi-factor authentication. In addition, this International Standard allo

35、ws continuous reassurance that the entity about to generate a digital signature is, in fact, the person authorized to access the private key. The success of a biometric system with the public is based on a number of factors, and these factors differ among the available biometric technologies: conven

36、ience and ease of use; level of apparent security; performance; non-invasiveness. The authentication systems discussed in this International Standard are those for a closed user group in which the group members have agreed to use biometric identification or perform identification themselves. Such ag

37、reements might be explicit (e.g. service agreement) or implicit (e.g. entering a facility indicating a clear intent to conduct a transaction). Such systems that will be used to monitor an indefinite number of people are excluded from the scope of this International Standard. SANS 19092:2009This s ta

38、ndard may only be used and printed by approved subscription and freemailing clients of the SABS .ISO 19092:2008(E) ISO 2008 All rights reserved viiThe techniques specified in this International Standard are designed to maintain the integrity and confidentiality of biometric information and to provid

39、e authentication. However, this International Standard does not guarantee that a particular implementation is secure. It is the responsibility of the financial institution to put an overall process in place with the necessary controls to ensure that the process is securely implemented. Furthermore,

40、the controls should include the application of appropriate audit tests in order to verify compliance with this International Standard. SANS 19092:2009This s tandard may only be used and printed by approved subscription and freemailing clients of the SABS .SANS 19092:2009This s tandard may only be us

41、ed and printed by approved subscription and freemailing clients of the SABS .INTERNATIONAL STANDARD ISO 19092:2008(E) ISO 2008 All rights reserved 1Financial services Biometrics Security framework 1 Scope This International Standard describes the security framework for using biometrics for authentic

42、ation of individuals in financial services. It introduces the types of biometric technologies and addresses issues concerning their application. This International Standard also describes the architectures for implementation, specifies the minimum security requirements for effective management, and

43、provides control objectives and recommendations suitable for use by a professional practitioner. The following are within the scope of this International Standard: usage of biometrics for the authentication of employees and persons seeking financial services by: verification of a claimed identity; i

44、dentification of an individual; validation of credentials presented at enrolment to support authentication as required by risk management; management of biometric information across its life cycle comprised of the enrolment, transmission and storage, verification, identification and termination proc

45、esses; security of biometric information during its life cycle, encompassing data integrity, origin authentication and confidentiality; application of biometrics for logical and physical access control; surveillance to protect the financial institution and its customers; security of the physical har

46、dware used throughout the biometric information life cycle. The following are not within the scope of this International Standard: the individuals privacy rights and ownership of biometric information; specific techniques for data collection, signal processing and matching of biometric data, and the

47、 biometric matching decision-making process; usage of biometric technology for non-authentication convenience applications such as speech recognition, user interaction and anonymous access control. This International Standard provides the mandatory means whereby biometric information may be encrypte

48、d for data confidentiality or other reasons. Although this International Standard does not address specific requirements and limitations of business applications employing biometric technology, other standards may address these topics. SANS 19092:2009This s tandard may only be used and printed by ap

49、proved subscription and freemailing clients of the SABS .ISO 19092:2008(E) 2 ISO 2008 All rights reserved2 Conformance A biometric authentication system may claim compliance to this International Standard if the implementation satisfies the management and security requirements identified in this International Standard. A biometric authentication system that utilizes the cryptographic message requirements recommended in this International Standard and that has implemented appropriate policies, pr