ITU-T X 1084-2008 Telebiometrics system mechanism C Part 1 General biometric authentication protocol and system model profiles for telecommunications systems (Study Group 17)《电信生物测.pdf

1、 International Telecommunication Union ITU-T X.1084TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (05/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Telebiometrics system mechanism Part 1: General biometric authentication protocol and system model

2、profiles for telecommunications systems Recommendation ITU-T X.1084 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499

3、DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management

4、X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IP

5、TV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 For further details, please refer to the list o

6、f ITU-T Recommendations. Rec. ITU-T X.1084 (05/2008) i Recommendation ITU-T X.1084 Telebiometrics system mechanism Part 1: General biometric authentication protocol and system model profiles for telecommunications systems Summary Biometric technologies are developed in various products and populated

7、 in application systems such as border control, physical access control, etc., for identity verification. These technologies are also expected to be applied to open network systems for reliable user authentication. However, open network systems need to manage risks in biometric products and system c

8、onfigurations for secure remote services. Recommendation ITU-T X.1084 specifies biometric authentication protocols and profiles for telecommunication systems in open networks. Source Recommendation ITU-T X.1084 was approved on 29 May 2008 by ITU-T Study Group 17 (2005-2008) under Recommendation ITU-

9、T A.8 procedures. Keywords Telebiometric authentication profiles, telebiometric authentication protocol, telebiometric system mechanism, transport layer security. ii Rec. ITU-T X.1084 (05/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the f

10、ield of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standard

11、izing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is cover

12、ed by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indica

13、te both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g., interoperability or applicability) and compliance with the Recommendation is achieved

14、when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROP

15、ERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether assert

16、ed by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned th

17、at this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec

18、. ITU-T X.1084 (05/2008) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 3.1 Vocabulary definitions within ISO/IEC JTC 1/SC 37 b-SC37SD2V8 2 3.2 Terms defined in this Recommendation. 2 4 Abbreviations 3 5 Conventions 4 6 Prerequisites 4 7 Authentication models 5 8 Security threats for ea

19、ch models. 10 9 General requirements 12 10 General protocol . 13 10.1 Requirement of the biometrics handshake protocol . 13 10.2 Alert protocol for biometric handshake 16 10.3 Implementation of the extended protocol. 17 11 Requirements of the biometric transportation stage for each model 18 11.1 Loc

20、al model 19 11.2 Download model 20 11.3 Attached model. 20 11.4 Centre model 21 11.5 Reference management on TTP for local model 21 11.6 Reference management on TTP for centre model 22 11.7 Comparison outsourcing by client model. 23 11.8 Comparison outsourcing by server model 25 11.9 Storage and com

21、parison outsourcing model. 26 Annex A ASN.1 definitions for modified TLS extension protocol 30 Appendix I Telebiometrics system mechanism definitions by TLS extension. 41 I.1 Extensions for biometric transfer protocol. 41 I.2 Biometrics Verify . 43 I.3 Biometrics Retry Request. 45 I.4 Finished Biome

22、trics 45 I.5 Biometrics TTP Request. 46 I.6 Biometrics TTP response . 47 I.7 Extension alert protocol 47 iv Rec. ITU-T X.1084 (05/2008) Page Appendix II Implementation example of the biometric transfer protocol using BIP . 50 II.1 Local model 51 II.2 Download model 52 II.3 Attached model. 52 II.4 Ce

23、ntre model 53 II.5 Comparison outsourcing by client model. 53 II.6 Reference management on TTP for local model 54 II.7 Reference management on TTP for centre model 55 II.8 Comparison outsourcing by server model 56 II.9 Storage and comparison outsourcing model. 57 Appendix III Template registration a

24、nd updating process for this Recommendation 59 III.1 Registration process 59 III.2 Updating or revocation process 60 Appendix IV ASN.1 definitions for the protocol of TSM based on Appendix I 63 Appendix V ECN modules for Appendix IV 75 V.1 EDM module 75 V.2 ELM module. 97 Bibliography. 100 Rec. ITU-

25、T X.1084 (05/2008) v Introduction With the rapid and widespread diffusion of the Internet, various network services are now in operation. In high value services, such as Internet banking, Internet shopping, Internet trading, etc., illegal trading by obtaining a personal identification number (PIN) b

26、y means, such as phishing, are occurring with increasing regularity. Therefore, high security authentication mechanisms are increasingly required, such as can be provided by biometrics. We have the following problems in standardizing biometric authentication on the Internet: Service providers do NOT

27、 have any information regarding what biometric devices are in use at the end-users end, what security level is this device set at, or how it is operated. According to each biometric product, the accuracy (False Accept Rate) determined by the threshold parameter differs between different biometric pr

28、oducts. Therefore, the service provider can NOT claim to maintain a uniform accuracy level. The accuracy of biometric verification may decline with the aging of end-users because biometrics uses features of the human body. To solve these problems, protocols for biometric authentication between unspe

29、cified end-users and service providers on open networks are greatly required. The figure below illustrates the environment of this Recommendation for a biometric security mechanism that authenticates a user via a non-face-to-face open network. Open NetworkClient TerminalApplication Server(Verifier)B

30、iometric SensorEnd UserEnvironment of this Recommendation The meaning of the open network: Many unspecified verifiers connect to the network and use varying biometric methods. High value service provider Efficient government service provider Online shopping provider. A large number of unspecified en

31、d-users also connect to the network, and their identity is verified through biometric authentication in order to use services from the aforementioned providers. The verifier here is “open“ in the following sense. The purpose of biometric authentication is different for each verifier, and the risk/va

32、lue for the verifier is also different for each. Therefore, each verifier has a different authentication security policy. The user here is “open“ in the sense that each user uses different biometric authentication methods. Each user can select any biometric authentication method to use, according to

33、 the acceptability or privacy policy they follow. Rec. ITU-T X.1084 (05/2008) 1 Recommendation ITU-T X.1084 Telebiometrics system mechanism Part 1: General biometric authentication protocol and system model profiles for telecommunications systems 1 Scope This Recommendation specifies the biometric a

34、uthentication protocols and profiles for telecommunication systems. It defines the protocols for biometric authentication of unspecified end-users and service providers on open networks. In the open network, there are a range of biometric communication devices for the end-users. There are also a var

35、iety of security policies for network services for the providers. This Recommendation defines nine telebiometrics authentication models depending on the configuration of the client, the server, and the trusted third party. It also defines the negotiation protocol for the policies and the device envi

36、ronments using the models. Furthermore, it specifies the requirements of biometric transportation data for each model. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the

37、time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below.

38、 A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.509 Recommendation ITU-T X.509 (2005) | ISO/IEC 9594-8:2005, Information technology

39、 Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T X.1089 Recommendation ITU-T X.1089 (2008), Telebiometrics authentication infrastructure (TAI). ISO/IEC 15408-1 ISO/IEC 15408-1:2005, Information technology Security techniques Evaluation criteria for

40、IT security Part 1: Introduction and general model. ISO/IEC 19784-1 ISO/IEC 19784-1:2006, Information technology Biometric application programming interface Part 1: BioAPI specification. ISO/IEC 19785-1 ISO/IEC 19785-1:2006, Information technology Common Biometric Exchange Formats Framework Part 1:

41、Data element specification. ISO/IEC 19795-1 ISO/IEC 19795-1:2006, Information technology Biometric performance testing and reporting Part 1: Principles and framework. ISO/IEC 24761 ISO/IEC 24761:2009, Information technology Security techniques Authentication context for biometrics. IETF RFC 3986 IET

42、F RFC 3986 (2005), Uniform Resource Identifier: Generic Syntax. IETF RFC 4346 IETF RFC 4346 (2006), The Transport Layer Security (TLS) Protocol Version 1.1. IETF RFC 4366 IETF RFC 4366 (2006), Transport Layer Security (TLS) Extensions. X9.84-CMS OASIS X9.84-CMS (2003), XML Common Biometric Format. 2

43、 Rec. ITU-T X.1084 (05/2008) 3 Definitions 3.1 Vocabulary definitions within ISO/IEC JTC 1/SC 37 b-SC37SD2V8 This Recommendation uses the following terms defined elsewhere: 3.1.1 biometric (adjective): Of or having to do with biometrics. 3.1.2 biometrics (noun): An automated recognition of individua

44、ls based on their behavioural and biological characteristics. 3.1.3 biometric template: A set of stored biometric features comparable directly to biometric features of a recognition biometric sample. 3.1.4 biometric reference: One or more stored biometric samples, biometric templates or biometric mo

45、dels attributed to a biometric data subject and used for comparison. 3.1.5 biometric sample: Analogue or digital representation of biometric characteristics prior to biometric feature extraction process, and obtained from a biometric capture device or biometric capture subsystem. 3.1.6 comparison (m

46、atch/matching): Estimation, calculation or measurement of similarity or dissimilarity between recognition biometric sample(s)/biometric features/biometric models and biometric reference(s). 3.1.7 comparison decision: Determination of whether the recognition biometric sample(s) and biometric referenc

47、e(s) have the same biometric source, based on a comparison score(s), a decision policy(ies), including a threshold, and possibly other inputs. 3.1.8 comparison score: Numerical value (or set of values) resulting from a comparison. 3.1.9 false match: Comparison decision of “match“ for a recognition b

48、iometric sample and a biometric reference that are not from the same source. 3.1.10 false non-match: Comparison decision of “non-match“ for a recognition biometric sample and a biometric reference that are from the same source. 3.1.11 match: Decision that the recognition biometric sample(s) and the

49、biometric reference are from the same source. 3.1.12 non-match: Decision that the recognition biometric sample(s) and the biometric reference are not from the same source. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 biometric authentication: The process of confirming an individuals identity, either by verification or by identification. 3.2.2 decision policy: Logic through which a biometric system provides match/no match decis