1、 INCITS/ISO/IEC 19784-1:2006/Amd3: 2010 2011 ISO/IEC 19784-1:2006/Amd3:2010 Information technology Biometric application programming interface Part 1: BioAPI specification AMD 3: Support for interchange of certificates and security assertions, and other security aspects INCITS/ISO/IEC 19784-1:2006/A
2、md3:2010 2011 PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloadi
3、ng this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the Gene
4、ral Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given
5、 below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 1/4/2011 Published by American National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2011 by Information Technology Indust
6、ry Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale
7、. No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America i
8、i ITIC 2011 All rights reserved ISO/IEC 19784-1:2006/Amd.3:2010(E) ISO/IEC 2010 All rights reserved iiiForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies
9、that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other inte
10、rnational organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given
11、 in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by
12、 at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Amendment 3 to ISO/IEC 19784-1:2006 was
13、 prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 37, Biometrics. This amendment to ISO/IEC 19784-1 defines a new version 2.2 of BioAPI which adds support for biometric fusion and security assertions to ISO/IEC 19784-1. It extends the API and the SPI of Bi
14、oAPI by specifying new functions and new values for existing data types. ISO/IEC 19784-1:2006 provides no direct support for biometric fusion. In addition, the use of FARs in the representation of matching scores is not suitable, in general, for performing score-level fusion (although it does allow
15、some limited forms of fusion). This amendment adds support of biometric fusion to ISO/IEC 19784-1. ISO/IEC 19784-1:2006/Amd.3:2010(E) ISO/IEC 2010 All rights reserved 1Information technology Biometric application programming interface Part 1: BioAPI specification AMENDMENT 3: Support for interchange
16、 of certificates and security assertions, and other security aspects 1) General amendment items 1-1) Add the following at the end of the first paragraph of the Foreword: “, BioAPI 2.1, and BioAPI 2.2” 1-2) Replace the last paragraph of the Foreword with the following: This is the first ISO/IEC stand
17、ard on BioAPI. Previous versions were published by ANSI and the BioAPI Consortium. As the last official non-ISO release was designated Version 1.1, the version specified in this part of ISO/IEC 19784-1 is designated Version 2.0 onwards. This is to distinguish the versions of BioAPI products in the m
18、arketplace. 1-3) Replace the first paragraph of the Introduction with the following: This part of ISO/IEC 19784 provides a high-level generic biometric authentication model suited to most forms of biometric technology. Support for multimodal biometrics and security assertions is also provided. 2) Am
19、endment items for interchange of certificates and security assertions, and other security aspects 2-1) Replace the last paragraph of the Scope with the following: This part of ISO/IEC 19784 specifies a version of the BioAPI specification that is defined to have a version number described as Major 2,
20、 Minor 0, or version 2.0. It also specifies a version number described as Major 2, Minor 1, or version 2.1 that provides an enhanced Graphical User Interface. It also specifies a version number described as Major 2, Minor 2, or version 2.2 that provides features supporting fusion and security. Some
21、clauses and sub-clauses apply only to one of these versions, some to two or more. This is identified at the head of the relevant clauses and sub-clauses. ISO/IEC 19784-1:2006/Amd.3:2010(E) 2 ISO/IEC 2010 All rights reserved2-2) Remove the amended paragraph in Amd.2 after the last paragraph of the Sc
22、ope and add the following paragraph after the last amended NOTEs of the Scope: Conformance requirements are specified in Clause 2. 2-3) Add the following documents to Clause 3: ISO/IEC 19785-4:2010, Information technology Common Biometric Exchange Formats Framework Part 4: Security block format spec
23、ifications ISO/IEC 24761:2009, Information technology Security techniques Authentication context for biometrics 2-4) Add the following term and definition before 4.1: 4.0 ACBio instance report generated by a biometric processing unit (BPU) compliant to ISO/IEC 24761 to show the validity of the resul
24、t of one or more subprocesses executed in the BPU ISO/IEC 24761 2-5) Add the following term and definition after 4.3: 4.3bis authentication context for biometrics ACBio International Standard that specifies the form and encoding of ACBio instances ISO/IEC 24761 2-6) Add the following terms and defin
25、itions after 4.5: 4.5bis biographic data (BioAPI 2.2) non-biometric data that potentially affects a biometric operation 4.5ter biographic BIR (BioAPI 2.2) non-biometric BIR that potentially affects a biometric operation 2-7) Add the following term and definition after 4.10: 4.10bis biometric process
26、ing unit BPU entity that executes one or more subprocesses that perform a biometric verification at a uniform level of security ISO/IEC 24761 ISO/IEC 19784-1:2006/Amd.3:2010(E) ISO/IEC 2010 All rights reserved 3NOTE A sensor, a smart card, and a comparison device are examples of BPUs. 2-8) Add the f
27、ollowing term and definition after 4.14: 4.14bis BPU IO Index integer assigned to each biometric data stream between BPUs by the subject, such as software, which utilizes the function of the BPU so that the validator can reconstruct the data flow among BPUs ISO/IEC 24761 2-9) Add the following term
28、and definition after 4.16: 4.16bis decision BIR (BioAPI 2.2) BIR which contains decision in the BDB 2-10) Replace the terms of 4.22 with the following terms: 4.22 score score data scoring 2-11) Add the following term and definition after 4.22: 4.22bis score BIR (BioAPI 2.2) BIR which contains score
29、in the BDB 2-12) Add the following term and definition after 4.22bis: 4.22ter secure BioAPI (BioAPI 2.2) BioAPI API and SPI interfaces that include the security features defined for version 2.2 of BioAPI 2-13) Replace Clause 5 with the following: ACBio Authentication Context for Biometrics API Appli
30、cation Programming Interface BDB Biometric Data Block BFP BioAPI Function Provider BIR Biometric Information Record BPU Biometric Processing Unit ISO/IEC 19784-1:2006/Amd.3:2010(E) 4 ISO/IEC 2010 All rights reservedBSP Biometric Service Provider CBEFF Common Biometric Exchange Formats Framework FMR
31、False Match Rate FPI Function Provider Interface GUI Graphical User Interface ID Identity/Identification/Identifier IRI Internationalized Resource Identifier (see RFC 3987) MAC Message Authentication Code MOC Match on Card PID Product ID SB Security Block SBH Standard Biometric Header NOTE This term
32、 and abbreviation is imported from ISO/IEC 19785-1. SPI Service Provider Interface UUID Universally Unique Identifier 2-14) Replace 6.6.6 as follows: 6.6.6 On BioAPI_BSPAttach/BioAPI_BSPAttachSecure (BioAPI 2.2 or greater), the application is required to select at most one BioAPI Unit of each catego
33、ry that is currently in an “inserted“ state (or to select BioAPI_DONT_CARE) and is managed by that BSP or by an associated BFP. The BSP then either accesses that BioAPI Unit (for directly managed BioAPI Units), or else interacts with the associated BFP in order to access that BioAPI Unit. 2-15) Add
34、the following text after 7.1: 7.1bis BioAPI_ACBio_PARAMETERS (BioAPI 2.2) 7.1bis.1 Structure giving information which is used to generate ACBio instances typedef struct bioapi_acbio_parameters uint32_t Challenge4; uint32_t *InitialBPUIOIndexOutput; uint32_t *SupremumBPUIOIndexOutput; BioAPI_ACBio_PA
35、RAMETERS; ISO/IEC 19784-1:2006/Amd.3:2010(E) ISO/IEC 2010 All rights reserved 57.1bis.2 Definitions Challenge Challenge from the validator of a biometric verification when ACBio is used. This value shall be set to the field controlValue of type ACBioContentInformation in ACBio instances. InitialBPUI
36、OIndexOutput The initial value of BPU IO index which is to be assigned to the output from the BioAPI Unit, BFP, or BSP when the ACBio instances are generated. The range between InitialBPUIOIndexOutput and SupremumBPUIOIndexOutput shall be divided into the number of BSP Units and BFPs which are attac
37、hed to the BSP, and assigned to the BSP Units and BSPs. SupremumBPUIOIndexOutput The supremum of BPU IO indexes which are to be assigned to the output from the BioAPI Unit, BFP, or BSP when the ACBio instances are generated. 7.1ter BioAPI_ASN1_BIR (BioAPI 2.2) A container for biometric data, (or non
38、-biometric data) that may affect a biometric operation, encoded in ASN.1 DER. The BioAPI_ASN1_BIR structure is used when a BioAPI API with security functionality is used. The BioAPI_ASN1_BIR structure associates a length, in bytes, with the address of an arbitrary block of contiguous memory which co
39、ntains an ASN.1 encoded BIR of type BioAPI-BIR, specified in Annex E. The ASN.1 encoded BIR consists of an SBH of type BioAPIBIRHeader, a BDB of type BiometricData, and an SB of type CBEFFSecurityBlock. The BDB may contain raw sample data, partially processed (intermediate) data, completely processe
40、d data, score data (resulting from a matching or fusion operation), decision data (resulting from a decision or fusion operation), or biographic data which can be provided as input to a biometric operation to modify its behavior. The BioAPI_ASN1_BIR may be used to enroll a user (thus being stored pe
41、rsistently), or may be used to verify or identify a user (thus being used transiently). It may also be stored and used later to provide feedback to subsequent biometric operations. Type BioAPI_ASN1_BIR is an alias of type BioAPI_DATA. NOTE The ASN.1 type BioAPI-BIR corresponds to the C structured ty
42、pe BioAPI_BIR element by element. typedef BioAPI_DATA BioAPI_ASN1_BIR; 7.1quater BioAPI_ASN1_ENCODED (BioAPI 2.2) A container for ASN.1 DER encoded data. The BioAPI_ASN1_ENCODED structure is used to express information about cryptographic keys. The BioAPI _ASN1_ ENCODED structure associates a length
43、, in bytes, with the address of an arbitrary block of contiguous memory which contains an ASN.1 encoded data. Type BioAPI_ASN1_ENCODED is an alias of type BioAPI_DATA. typedef BioAPI_DATA BioAPI_ASN1_ENCODED; 2-16) In 7.4.1, modify the paragraph as follows: A container for biometric data, or non-bio
44、metric data that may affect a biometric operation. A BioAPI_BIR consists of a BioAPI_BIR_HEADER, a BDB, and an optional SB. The BDB may contain raw sample data, partially processed (intermediate) data, completely processed data, score data (resulting from a matching or fusion operation), decision da
45、ta (resulting from a decision or fusion operation), or biographic data which can be provided as input to a biometric operation to modify its behavior. The BioAPI_BIR may be used to enroll a user (thus being stored persistently), or may be used to verify or identify a user (thus being used transientl
46、y). It may also be stored and used later to provide feedback to subsequent biometric operations. ISO/IEC 19784-1:2006/Amd.3:2010(E) 6 ISO/IEC 2010 All rights reserved2-17) In 7.9.1, modify a) with the following: a) it identifies the type of biometric sample (raw, intermediate, processed, score data,
47、 decision data or biographic data) that is contained in the BDB; 2-18) Replace 7.9.4 as follows: 7.9.4 The index flag shall be set if an index is present in the BIR header and not set if no index is present in the BIR header. typedef uint8_t BioAPI_BIR_DATA_TYPE; #define BioAPI_BIR_DATA_TYPE_RAW (0x
48、01) #define BioAPI_BIR_DATA_TYPE_INTERMEDIATE (0x02) #define BioAPI_BIR_DATA_TYPE_PROCESSED (0x04) #define BioAPI_BIR_DATA_TYPE_SCORE (0x08) #define BioAPI_BIR_DATA_TYPE_DECISION (0x09) #define BioAPI_BIR_DATA_TYPE_BIOGRAPHIC (0x0A) #define BioAPI_BIR_DATA_TYPE_ENCRYPTED (0x10) #define BioAPI_BIR_DA
49、TA_TYPE_SIGNED (0x20) NOTE 1 The BioAPI BIR Data Type corresponds to a combination of the “CBEFF_BDB_processed_level”, ”CBEFF_BDB_encryption_options”, and “CBEFF_BIR_integrity_options” in ISO/IEC 19785-1. NOTE 2 BioAPI_BIR_DATA_TYPE_DECISION (BioAPI 2.2 or greater) and BioAPI_BIR_DATA_TYPE_BIOGRAPHIC (BioAPI 2.2 or greater) have two bits on while others have only one
