1、INCITS/ISO/IEC 7816-11-2004 (ISO/IEC 7816-11:2004, IDT) Identification cards Integrated circuit cards Part 11: Personal verfication throughbiometric methodsINCITS/ISO/IEC 7816-11-2004(ISO/IEC 7816-11:2004,IDT)Copyright American National Standards Institute Provided by IHS under license with ANSI Not
2、 for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-11-2004 ii ITIC 2005 All rights reserved PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be ed
3、ited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a
4、trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member b
5、odies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard. Date of ANSI Approval: 12/29/2005 Published by Ame
6、rican National Standards Institute, 25 West 43rd Street, New York, New York 10036 Copyright 2005 by Information Technology Industry Council (ITI). All rights reserved. These materials are subject to copyright claims of International Standardization Organization (ISO), International Electrotechnical
7、Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council (ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, without the prior written permission of ITI. All requests pertaining
8、 to this standard should be submitted to ITI, 1250 Eye Street NW, Washington, DC 20005. Printed in the United States of America Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-I
9、NCITS/ISO/IEC 7816-11-2004 ITIC 2005 All rights reserved iii Contents Page Foreword iv Introduction .v 1 Scope 1 2 Normative references .1 3 Terms and definitions 1 4 Abbreviated terms 2 5 Commands for biometric verification processes 2 5.1 Commands to retrieve biometric information .2 5.2 Command f
10、or a static biometric verification process .3 5.3 Commands for a dynamic biometric verification process 3 6 Data elements .3 6.1 Biometric information 3 6.2 Biometric data 5 6.3 Verification requirement information 6 Annex A (informative) Biometric verification process .8 Annex B (informative) Examp
11、les for enrollment and verification 13 Annex C (informative) Biometric information data objects . 19 Annex D (informative) Usage of Secure Messaging Templates 29 Bibliography 33 Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or n
12、etworking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-11-2004 iv ITIC 2005 All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National
13、bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Oth
14、er international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rule
15、s given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires appr
16、oval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 7816-11 was prepared by
17、Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identification. ISO/IEC 7816 consists of the following parts, under the general title Identification cards Integrated circuit cards: Part 1: Cards with contacts Physical characteristics Part 2: Ca
18、rds with contacts Dimensions and location of the contacts Part 3: Cards with contacts Electrical interface and transmission protocols Part 4: Organization, security and commands for interchange Part 5: Registration of application providers Part 6: Interindustry data elements for interchange Part 7:
19、Interindustry Commands for Structured Card Query Language (SCQL) Part 8: Commands for security operations Part 9: Commands for card management Part 10: Cards with contacts Electronic signals and answer to reset for synchronous cards Part 11: Personal verification through biometric methods Part 15: C
20、ryptographic information application Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-11-2004 ITIC 2005 All rights reserved v Introduction This part of ISO/IE
21、C 7816 is one of a series of standards describing the parameters for integrated circuit(s) cards with contacts and the use of such cards for international interchange. This part of ISO/IEC 7816 may also apply to contactless cards. Copyright American National Standards Institute Provided by IHS under
22、 license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-AMERICAN NATIONAL STANDARD
23、INCITS/ISO/IEC 7816-11-2004 ITIC 2005 All rights reserved 1 Identification cards Integrated circuit cards with contacts Part 11: Personal verification through biometric methods 1 Scope This part of ISO/IEC 7816 specifies security related interindustry commands to be used for personal verification wi
24、th biometric methods in integrated circuit(s) cards. It also defines the data structure and data access methods for use of the card as a carrier of the biometric reference data and/or as the device to perform the verification of a personal biometric (on-card matching). Identification of persons usin
25、g biometric methods is outside the scope of this standard. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (in
26、cluding any amendments) applies. ISO/IEC 7816-4:2003, Identification cards Integrated circuit cards with contacts Part 4: Organization, security and commands for interchange ISO/IEC CD 19785:2003, Information technology Common Biometric Exchange Framework Format (CBEFF) 3 Terms and definitions For t
27、he purposes of this document, the following terms and definitions apply. 3.1 biometric data data encoding a feature or features used in biometric verification 3.2 biometric information information needed by the outside world to construct the verification data 3.3 biometric reference data data stored
28、 on the card for the purpose of comparison with the biometric verification data 3.4 biometric verification process of verifying by a one-to-one comparison of the biometric verification data against biometric reference data 3.5 biometric verification data data acquired during a verification process f
29、or the comparison with the biometric reference data Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-11-2004 2 ITIC 2005 All rights reserved 3.6 template as d
30、efined in ISO/IEC 7816-4 WARNING The term template means the value field of a constructed data object. It should not be confused with a processed biometric data sample. 4 Abbreviated terms For the purpose of this part of ISO/IEC 7816, the following abbreviations apply. AID Application Identifier AT
31、Authentication Template BER Basic Encoding Rules BIT Biometric Information Template BD Biometric Data BDP BD in proprietary format BDS BD in standardized format BDT Biometric Data Template CCT Cryptographic Checksum Template CRT Control Reference Template CT Confidentiality Template DE Data Element
32、DF Dedicated File DO Data Object DST Digital Signature Template EFID Elementary File ID FCI File Control Information ID Identifier L Length OID Object Identifier RD Reference Data SE Security Environment SM Secure Messaging TLV Tag-Length-Value UQ Usage Qualifier VIDO Verification requirement Inform
33、ation Data Object VIT Verification requirement Information Template 5 Commands for biometric verification processes Commands for retrieval, verification and authentication defined in ISO/IEC 7816-4 are used for biometric verification. Biometric data (e.g. face features, ear shape, fingerprint, speec
34、h pattern, voice print, key stroke) may need protection against replay or presentation of verification data derived from original biometric data (e.g. a fingerprint, a face photo). A method to prevent this kind of attack is to send the verification data to the card with a cryptographic checksum or a
35、 digital signature applying secure messaging as defined in ISO/IEC 7816-4. Likewise, secure messaging may be used to guarantee the authenticity of the biometric data retrieved from the card. 5.1 Commands to retrieve biometric information The commands as specified in ISO/IEC 7816-4 in the clause rela
36、ted to data referencing shall be used for the retrieval of biometric information. Copyright American National Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-11-2004 ITIC 2005 All right
37、s reserved 3 5.2 Command for a static biometric verification process The command to be used for a static verification process (see Annex A) is the VERIFY command as specified in ISO/IEC 7816-4. The information to be conveyed is biometric reference data identifier (i.e. the qualifier of the reference
38、 data) biometric verification data. The biometric verification data may be encoded as BER-TLV data objects (see Table 2). The CLA byte may indicate that the command data field is BER-TLV coded (see ISO/IEC 7816-4). For combined biometric schemes, command chaining as defined in ISO/IEC 7816-8 may be
39、used. 5.3 Commands for a dynamic biometric verification process To get a challenge, to which a user response is required (see Annex A), the GET CHALLENGE command shall be used. The type of challenge in a biometric verification process, e.g. a phrase for voiceprint or a phrase for keystroke, depends
40、on the biometric algorithm, which can be specified in P1 of the GET CHALLENGE command (see ISO/IEC 7816-4). The respective algorithm may be selected alternatively by using the MANAGE SECURITY ENVIRONMENT command (e.g. SET option with CRT AT and DO usage qualifier and DO algorithm id in the data fiel
41、d). After a successful GET CHALLENGE command, an EXTERNAL AUTHENTICATE command is sent to the card. The command data field conveys the relevant biometric verification data. For coding of the biometric verification data, the same principles apply as for the VERIFY command, see 5.1. 6 Data elements 6.
42、1 Biometric information The Biometric Information Template (BIT) provides descriptive information regarding the associated biometric data. It is provided by the card in response to a retrieval command prior to a verification process. Table 1 defines biometric information DOs. Copyright American Nati
43、onal Standards Institute Provided by IHS under license with ANSI Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-INCITS/ISO/IEC 7816-11-2004 4 ITIC 2005 All rights reserved Table 1 Biometric information DOs Tag L Value Presence 7F60 Var. Biometric Information Templ
44、ate (BIT) Tag L Value 80 1 Algorithm reference for use in the VERIFY / EXT. AUTHENTICATE / MANAGE SE command Optional 83 1 Reference data qualifier for use in the VERIFY / EXT. AUTH. / MANAGE SE command Optional A0 Var. Biometric information DOs defined in this standard Optional 06 41 42 4F Var.Var.
45、Var.Var. Tag allocation authority (see ISO/IEC 7816-6): - Object identifier (OID) - Country authority (see ISO/IEC 7816-4) - Issuer (see ISO/IEC 7816-4) - Application Identifier (AID), identifies the application and its provider (see ISO/IEC 7816-4) The default tag allocation authority is ISO/IEC JT
46、C1/SC37. One of these DOs is mandatory, if A1 is present A1 Var. Biometric information DOs specified by the tag allocation authority (mandatory indication, see above). See also example in Annex C Mandatory, if A0 is not present Tag L Value 8x/ Ax 9x/ Bx Var.Var. DOs defined by the tag allocation aut
47、hority . (primitive / constructed) . (primitive / constructed) DO dependent NOTE In case the card does not perform the verification process, the Biometric Information Template may also contain the biometric reference data (see Table 3) and possibly discretionary data (tag 53 or 73) e.g. for data to
48、be delivered to a service system, if verification is positive (see Annex C). If several BITs are present within the same application, then they shall be grouped as shown in Table 2. Table 2 BIT group template Tag L Value Presence 7F61 Var. BIT group template Tag L Value 02 Var. Number of BITs in the group Mandatory 7F60 Var. BIT 1 Conditional . 7F60 Var. BIT n Conditional A BIT group template can be recovered e.g. by a GET DATA command reading out of a file in the corresponding DF, EFID found in
