ANSI INCITS ISO IEC 7816-11-2004 Identification cards Integrated circuit cards Part 11 Personal verfication through biometric methods.pdf

1、INCITS/ISO/IEC 7816-11-2004 (ISO/IEC 7816-11:2004, IDT) Identification cards Integrated circuit cards Part 11: Personal verfication throughbiometric methodsINCITS/ISO/IEC 7816-11-2004(ISO/IEC 7816-11:2004,IDT)INCITS/ISO/IEC 7816-11-2004 ii ITIC 2005 All rights reserved PDF disclaimer This PDF file m

2、ay contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the res

3、ponsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creat

4、ion parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Com

5、mittee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 12/29/2005 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2005 by Information Technology Industry Council (ITI). All rights reserved. The

6、se materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be repro

7、duced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America INCITS/ISO/IEC 7816-11-2004 ITIC 2005 All r

8、ights reserved iii Contents Page Foreword iv Introduction .v 1 Scope 1 2 Normative references .1 3 Terms and definitions 1 4 Abbreviated terms 2 5 Commands for biometric verification processes 2 5.1 Commands to retrieve biometric information .2 5.2 Command for a static biometric verification process

9、 .3 5.3 Commands for a dynamic biometric verification process 3 6 Data elements .3 6.1 Biometric information 3 6.2 Biometric data 5 6.3 Verification requirement information 6 Annex A (informative) Biometric verification process .8 Annex B (informative) Examples for enrollment and verification 13 Ann

10、ex C (informative) Biometric information data objects . 19 Annex D (informative) Usage of Secure Messaging Templates 29 Bibliography 33 INCITS/ISO/IEC 7816-11-2004 iv ITIC 2005 All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotec

11、hnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical a

12、ctivity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical co

13、mmittee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulate

14、d to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held resp

15、onsible for identifying any or all such patent rights. ISO/IEC 7816-11 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identification. ISO/IEC 7816 consists of the following parts, under the general title Identification cards In

16、tegrated circuit cards: Part 1: Cards with contacts Physical characteristics Part 2: Cards with contacts Dimensions and location of the contacts Part 3: Cards with contacts Electrical interface and transmission protocols Part 4: Organization, security and commands for interchange Part 5: Registratio

17、n of application providers Part 6: Interindustry data elements for interchange Part 7: Interindustry Commands for Structured Card Query Language (SCQL) Part 8: Commands for security operations Part 9: Commands for card management Part 10: Cards with contacts Electronic signals and answer to reset fo

18、r synchronous cards Part 11: Personal verification through biometric methods Part 15: Cryptographic information application INCITS/ISO/IEC 7816-11-2004 ITIC 2005 All rights reserved v Introduction This part of ISO/IEC 7816 is one of a series of standards describing the parameters for integrated circ

19、uit(s) cards with contacts and the use of such cards for international interchange. This part of ISO/IEC 7816 may also apply to contactless cards. AMERICAN NATIONAL STANDARD INCITS/ISO/IEC 7816-11-2004 ITIC 2005 All rights reserved 1 Identification cards Integrated circuit cards with contacts Part 1

20、1: Personal verification through biometric methods 1 Scope This part of ISO/IEC 7816 specifies security related interindustry commands to be used for personal verification with biometric methods in integrated circuit(s) cards. It also defines the data structure and data access methods for use of the

21、 card as a carrier of the biometric reference data and/or as the device to perform the verification of a personal biometric (on-card matching). Identification of persons using biometric methods is outside the scope of this standard. 2 Normative references The following referenced documents are indis

22、pensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7816-4:2003, Identification cards Integrated circuit cards with contacts Part 4: Orga

23、nization, security and commands for interchange ISO/IEC CD 19785:2003, Information technology Common Biometric Exchange Framework Format (CBEFF) 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 biometric data data encoding a feature or feature

24、s used in biometric verification 3.2 biometric information information needed by the outside world to construct the verification data 3.3 biometric reference data data stored on the card for the purpose of comparison with the biometric verification data 3.4 biometric verification process of verifyin

25、g by a one-to-one comparison of the biometric verification data against biometric reference data 3.5 biometric verification data data acquired during a verification process for the comparison with the biometric reference data INCITS/ISO/IEC 7816-11-2004 2 ITIC 2005 All rights reserved 3.6 template a

26、s defined in ISO/IEC 7816-4 WARNING The term template means the value field of a constructed data object. It should not be confused with a processed biometric data sample. 4 Abbreviated terms For the purpose of this part of ISO/IEC 7816, the following abbreviations apply. AID Application Identifier

27、AT Authentication Template BER Basic Encoding Rules BIT Biometric Information Template BD Biometric Data BDP BD in proprietary format BDS BD in standardized format BDT Biometric Data Template CCT Cryptographic Checksum Template CRT Control Reference Template CT Confidentiality Template DE Data Eleme

28、nt DF Dedicated File DO Data Object DST Digital Signature Template EFID Elementary File ID FCI File Control Information ID Identifier L Length OID Object Identifier RD Reference Data SE Security Environment SM Secure Messaging TLV Tag-Length-Value UQ Usage Qualifier VIDO Verification requirement Inf

29、ormation Data Object VIT Verification requirement Information Template 5 Commands for biometric verification processes Commands for retrieval, verification and authentication defined in ISO/IEC 7816-4 are used for biometric verification. Biometric data (e.g. face features, ear shape, fingerprint, sp

30、eech pattern, voice print, key stroke) may need protection against replay or presentation of verification data derived from original biometric data (e.g. a fingerprint, a face photo). A method to prevent this kind of attack is to send the verification data to the card with a cryptographic checksum o

31、r a digital signature applying secure messaging as defined in ISO/IEC 7816-4. Likewise, secure messaging may be used to guarantee the authenticity of the biometric data retrieved from the card. 5.1 Commands to retrieve biometric information The commands as specified in ISO/IEC 7816-4 in the clause r

32、elated to data referencing shall be used for the retrieval of biometric information. INCITS/ISO/IEC 7816-11-2004 ITIC 2005 All rights reserved 3 5.2 Command for a static biometric verification process The command to be used for a static verification process (see Annex A) is the VERIFY command as spe

33、cified in ISO/IEC 7816-4. The information to be conveyed is biometric reference data identifier (i.e. the qualifier of the reference data) biometric verification data. The biometric verification data may be encoded as BER-TLV data objects (see Table 2). The CLA byte may indicate that the command dat

34、a field is BER-TLV coded (see ISO/IEC 7816-4). For combined biometric schemes, command chaining as defined in ISO/IEC 7816-8 may be used. 5.3 Commands for a dynamic biometric verification process To get a challenge, to which a user response is required (see Annex A), the GET CHALLENGE command shall

35、be used. The type of challenge in a biometric verification process, e.g. a phrase for voiceprint or a phrase for keystroke, depends on the biometric algorithm, which can be specified in P1 of the GET CHALLENGE command (see ISO/IEC 7816-4). The respective algorithm may be selected alternatively by us

36、ing the MANAGE SECURITY ENVIRONMENT command (e.g. SET option with CRT AT and DO usage qualifier and DO algorithm id in the data field). After a successful GET CHALLENGE command, an EXTERNAL AUTHENTICATE command is sent to the card. The command data field conveys the relevant biometric verification d

37、ata. For coding of the biometric verification data, the same principles apply as for the VERIFY command, see 5.1. 6 Data elements 6.1 Biometric information The Biometric Information Template (BIT) provides descriptive information regarding the associated biometric data. It is provided by the card in

38、 response to a retrieval command prior to a verification process. Table 1 defines biometric information DOs. INCITS/ISO/IEC 7816-11-2004 4 ITIC 2005 All rights reserved Table 1 Biometric information DOs Tag L Value Presence 7F60 Var. Biometric Information Template (BIT) Tag L Value 80 1 Algorithm re

39、ference for use in the VERIFY / EXT. AUTHENTICATE / MANAGE SE command Optional 83 1 Reference data qualifier for use in the VERIFY / EXT. AUTH. / MANAGE SE command Optional A0 Var. Biometric information DOs defined in this standard Optional 06 41 42 4F Var.Var.Var.Var. Tag allocation authority (see

40、ISO/IEC 7816-6): - Object identifier (OID) - Country authority (see ISO/IEC 7816-4) - Issuer (see ISO/IEC 7816-4) - Application Identifier (AID), identifies the application and its provider (see ISO/IEC 7816-4) The default tag allocation authority is ISO/IEC JTC1/SC37. One of these DOs is mandatory,

41、 if A1 is present A1 Var. Biometric information DOs specified by the tag allocation authority (mandatory indication, see above). See also example in Annex C Mandatory, if A0 is not present Tag L Value 8x/ Ax 9x/ Bx Var.Var. DOs defined by the tag allocation authority . (primitive / constructed) . (p

42、rimitive / constructed) DO dependent NOTE In case the card does not perform the verification process, the Biometric Information Template may also contain the biometric reference data (see Table 3) and possibly discretionary data (tag 53 or 73) e.g. for data to be delivered to a service system, if ve

43、rification is positive (see Annex C). If several BITs are present within the same application, then they shall be grouped as shown in Table 2. Table 2 BIT group template Tag L Value Presence 7F61 Var. BIT group template Tag L Value 02 Var. Number of BITs in the group Mandatory 7F60 Var. BIT 1 Condit

44、ional . 7F60 Var. BIT n Conditional A BIT group template can be recovered e.g. by a GET DATA command reading out of a file in the corresponding DF, EFID found in the FCI, or reading an SE template (see ISO/IEC 7816-4), in which the BIT group template is stored. INCITS/ISO/IEC 7816-11-2004 ITIC 2005

45、All rights reserved 5 6.2 Biometric data Biometric data (biometric verification data, biometric reference data) may be presented as a concatenation of data elements, within a biometric data DO as defined in ISO/IEC 7816-6, or as concatenation of DOs within a biometric data template, see Table 3. Tab

46、le 3 Biometric data DOs Tag L Value Presence 5F2E Var. Biometric data 7F2E Var. Biometric data template Tag L Value 5F2E Var. Biometric data At least one of these DOs is present, if the template is used 81 / A1 Var. Biometric data with standardised format (primitive / constructed) 82 / A2 Var. Biome

47、tric data with proprietary format (primitive / constructed) As shown in Table 3, biometric data may be split up in a part with standard format and in a part with proprietary format, whereby the part with the proprietary format may be used, e.g. for achieving a better performance. The usage of biomet

48、ric data with standardized and proprietary formats is shown in Figure 1. Structure and coding of biometric data are biometric type (e.g. facial features, fingerprint) dependent and out of scope of this standard. INCITS/ISO/IEC 7816-11-2004 6 ITIC 2005 All rights reserved T. B DT L T. B DS T. B DPB D

49、 in st a n -d a r d i se d f o r m a tLB D in p r o p r i e -t a r y f o r m a t o f A LCa r dw i t h m a t ch i n g a l g o r i t h m AI FDw i t h f e a t u r e e x t r a ct i o na l g o r i t h m AV E RIFY * * = V e r i f i ca t i o n d a t a : * = V e r i f i ca t i o n d a t a : Ca r dw i t h m a t ch i n ga l g o r i t h m BV E RIFY * T he m atch ing algorithm s A and B belong to the sam e bio m etric t y pe , but use d