1、 International Telecommunication Union ITU-T X.1088TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (05/2008) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Telecommunication security Telebiometrics digital key framework (TDK) A framework for biometric digital key generation and pro
2、tection Recommendation ITU-T X.1088 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499DIRECTORY X.500X.599 OSI NETWORK
3、ING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.10
4、80X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSP
5、ACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 For further details, please refer to the list of ITU-T Recommendations. Rec. IT
6、U-T X.1088 (05/2008) i Recommendation ITU-T X.1088 Telebiometrics digital key framework (TDK) A framework for biometric digital key generation and protection Summary Recommendation ITU-T X.1088 describes a framework for biometric digital key generation, protection from a biometric template with publ
7、ic key certificate and biometric certificate in order to provide cryptographic secure authentication and secure communication on open network environments. This Recommendation also describes the security requirements in biometric digital key generation and protection. The framework described in this
8、 Recommendation can be applied to the biometric encryption and digital signature. Source Recommendation ITU-T X.1088 was approved on 29 May 2008 by ITU-T Study Group 17 (2005-2008) under Recommendation ITU-T A.8 procedure. Keywords Biometric authentication, biometric certificate, biometric digital k
9、ey framework, public key certificate, telebiometrics. ii Rec. ITU-T X.1088 (05/2008) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Stan
10、dardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), w
11、hich meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within
12、 ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommenda
13、tion is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure e.g. interoperability or applicability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “m
14、ust“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation
15、may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of t
16、his Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent da
17、tabase at http:/www.itu.int/ITU-T/ipr/. ITU 2009 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1088 (05/2008) iii CONTENTS Page 1 Scope 1 2 References. 1 3 Definitions 2 3.1 Terms defined elsewhe
18、re 2 3.2 Terms defined in this Recommendation. 3 4 Abbreviations and acronyms 3 5 Conventions 4 6 Biometric digital key 4 6.1 Biometric cryptosystem 4 6.2 Model of biometric digital key. 4 7 Biometric digital key framework 6 7.1 Framework overview 6 7.2 Prerequisites . 6 7.3 Biometric digital key ge
19、neration and protection framework 7 7.4 Biometric encryption and signature framework with biometric digital key. 10 8 Security requirements on biometric digital key framework . 11 8.1 Basic security requirements 11 8.2 Security requirements on biometric digital key generation 12 8.3 Security require
20、ments on biometric digital key protection 13 9 Biometric digital key with biometric certificate. 14 9.1 Biometric certificate based biometric digital key. 14 9.2 Biometric certificate-based biometric digital signature . 15 10 Security requirements on biometric certificate-based biometric digital key
21、 16 10.1 Basic security requirements 16 10.2 Security requirements on biometric certificate-based biometric digital key 16 10.3 Security requirements on biometric certificate-based biometric digital key protection 17 10.4 Security requirements on client-side 18 10.5 Security requirements between cli
22、ent-side and BCA. 19 10.6 Security requirements between client-side and CA 19 Appendix I Biometric digital key based on biometric certificate . 20 I.1 Biometric digital key 20 I.2 Biometric certificate generation for biometric digital key . 20 I.3 BC-based biometric digital key generation 21 iv Rec.
23、 ITU-T X.1088 (05/2008) Page Appendix II Applications of biometric digital key . 22 II.1 Introduction 22 II.2 Server-side asymmetric biometric key generation . 22 II.3 Client-side asymmetric biometric key generation 22 Bibliography 24 Rec. ITU-T X.1088 (05/2008) 1 Recommendation ITU-T X.1088 Telebio
24、metrics digital key framework (TDK) A framework for biometric digital key generation and protection 1 Scope A general framework of biometric digital key is required in order to provide enhanced cryptographic secure authentication and security on telebiometric system. This Recommendation specifies a
25、framework for biometric digital key generation and protection using biometric template with public key certificate and biometric certificate in order to provide secure authentication process on open network environments. This Recommendation also describes the security requirements in biometric digit
26、al key generation and protection for providing biometric authentication and secure communication. However, this Recommendation does not cover the methodology of biometric digital key generation in detail because many different kinds of mechanisms can be used for generating and deriving biometric dig
27、ital key from biometric template. And it also does not specify the detailed telebiometric system mechanism on biometric digital key generation and protection, as many models or system architecture can be used on biometric digital key on open network. 2 References The following ITU-T Recommendations
28、and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore enc
29、ouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone d
30、ocument, the status of a Recommendation. ITU-T X.509 Recommendation ITU-T X.509 (2005) | ISO/IEC 9594-8:2005, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T X.1084 Recommendation ITU-T X.1084 (2008), Telebiometrics system mec
31、hanism Part 1: General biometric authentication protocol and system model profiles for telecommunications systems. ITU-T X.1089 Recommendation ITU-T X.1089 (2008), Telebiometrics authentication infrastructure. ISO/IEC 9797-2 ISO/IEC 9797-2:2002, Information technology Security techniques Message Aut
32、hentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-function. ISO/IEC 11770-4 ISO/IEC 11770-4:2006, Information technology Security techniques Key management Part 4: Mechanisms based on weak secrets. ISO/IEC 14888-1 ISO/IEC 14888-1:2008, Information technology Security techniques Digi
33、tal signatures with appendix Part 1: General. ISO/IEC 14888-3 ISO/IEC 14888-3:2006, Information technology Security techniques Digital signatures with appendix Part 3: Discrete logarithm based 2 Rec. ITU-T X.1088 (05/2008) mechanisms. ISO/IEC 17799 ISO/IEC 17799:2005, Information technology Security
34、 techniques Code of practice for information security management. ISO/IEC 18031 ISO/IEC 18031:2005, Information technology Security techniques Random bit generation. ISO/IEC 18032 ISO/IEC 18032:2005, Information technology Security techniques Prime number generation. ISO/IEC 18033-1 ISO/IEC 18033-1:
35、2005, Information technology Security techniques Encryption algorithms Part 1: General. ISO/IEC 19784-1 ISO/IEC 19784-1:2006, Information technology Biometric application programming interface Part 1: BioAPI specification. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the follow
36、ing terms defined elsewhere: 3.1.1 biometric b-ISO/IEC 19785-1: Pertaining to the field of biometrics. NOTE “biometric“ should never be used as a noun. 3.1.2 biometrics b-ISO/IEC 19785-1: Automated recognition of individuals based on their behavioural and biological characteristics. 3.1.3 biometrics
37、 data b-ISO/IEC 19785-1: A biometric sample at any stage of processing, biometric reference, biometric feature or biometric property. 3.1.4 biometric authentication b-ISO 19092: Process of confirming an individuals identity, either by verification or by identification. 3.1.5 biometric identification
38、 b-ISO 19092: One-to-many process of comparing a submitted biometric sample against some or all enrolled reference templates to determine an individuals identity. 3.1.6 biometric sample b-ISO/IEC 19785-1: Information obtained from a biometric device, either directly or after further processing. 3.1.
39、7 biometric template ISO/IEC 19784-1: A biometric sample or combination of biometric samples that is suitable for storage as a reference for future comparison. 3.1.8 biometric verification b-ISO 19092: Process of comparing a match template against reference based on a claimed identity (e.g., user ID
40、, account number). 3.1.9 capture b-ISO 19092: Acquisition of a biometric sample. 3.1.10 enrolment b-ISO 19092: Process of collecting biometric samples from a person and the subsequent generation and storage of biometric reference templates associated with that person. 3.1.11 extraction b-ISO 19092:
41、Process of converting raw biometric data into processed biometric for use in template comparison or reference template creation. Rec. ITU-T X.1088 (05/2008) 3 3.1.12 registration b-ISO 19092: Process in which a person shall prove their identity by presenting credentials to the biometric service prov
42、ider before being allowed to enroll, and assigns an electronic identifier. 3.2 Terms defined in this Recommendation This Recommendation defines the following terms: 3.2.1 biometric capture device: Device that collects a signal from a biometric characteristic and converts it to a biometric sample. 3.
43、2.2 biometric capture process: Process of collecting or attempting to collect a signal from a biometric characteristic and converting it to a biometric sample. 3.2.3 biometric certificate: A data structure binding the users identity and biometric feature and digital signed by the certificate authori
44、ty which issued it. 3.2.4 biometric certificate authority: An entity, responsible for the issuance of biometric certificate. 3.2.5 biometric database: Collection of data organized according to a conceptual structure describing the characteristics of those data and the relationship among their corres
45、ponding entities, supporting one or more applications. 3.2.6 biometric digital signature: Digital signature function that performs a signature generation using private key on biometric message. 3.2.7 biometric encryption: Cryptographic encoding function that performs a cryptographic secure encoding
46、and decoding using public key on biometric message. 3.2.8 client: Client terminal provides a biometric function for telecommunication service applications. 3.2.9 user: The receiver of the telecommunication service using the client. 3.2.10 verifier: Service provider based on a biometric authenticatio
47、n on telecommunication environments. 4 Abbreviations and acronyms This Recommendation uses the following abbreviations and acronyms: AES Advanced Encryption Standard BC Biometric Certificate BCA Biometric Certificate Authority BioAPI Biometric Application Programming Interface BSP Biometric Service
48、Provider CA Certificate Authority CBEFF Common Biometric Exchange Formats Framework CRL Certificate Revocation List CSP Cryptographic Service Provider DES Data Encryption Standard MD5 Message Digest 5 PKC Public Key Cryptography 4 Rec. ITU-T X.1088 (05/2008) PKI Public Key Infrastructure SHA-1 Secur
49、e Hash Algorithm 1 TTP Trusted Third Party USB Universal Serial Bus 5 Conventions None. 6 Biometric digital key 6.1 Biometric cryptosystem Biometrics is about measuring unique personal features, such as a subjects voice, fingerprint, or iris. It has the potential to identify individuals with a high degree of assurance, thus providing a foundation for trust. Cryptography, on the other hand, concerns itself with the projection of trust: with taking t