Standards are incredibly important, yet incredibly frustrating. While their work is absolutely critical, the complexity of their effort makes it seem as though they purposefully work to make it difficult for outsiders to comprehend. Consider the following lines extracted from an actual presentation made before a security industry trade group:
· M1 is the US TAG to JTC 1 SC 37
· INCITS 358 BioAPI: JTC 1 SC 37 Fast Track candidate
· Revised CBEFF: INCITS/JTC 1 SC37 Fast Track candidate
This would certainly intimidate all but the most acronym-centric of us. Little wonder that biometrics remains a world onto itself, with most outsiders-be they other members of the security/identity community or the general public-still uncertain of their status.
When asked about the pervasive use of acronyms with biometric technology, Jeff Stapleton, Manager Information Risk Management for KPMG and chair of biometric standards groups X9 F4 and TC68 WG10, jokingly replied, “if we spelled everything out, nothing would fit in our Powerpoint presentations.”
In the paragraphs that follow, the major efforts underway toward creating standards for biometrics are examined. Though acronyms, unfortunately, cannot be eliminated altogether, a proper name will be presented whenever possible.
Biometric standards via ISO and ANSI
To begin this exploration of biometric standards, a basic structure for worldwide standards bodies related to the ISO/IEC standards is crucial.
Today 148 countries from around the globe participate in the International Organization for Standardization (ISO). ISO committees create standards for all kinds of products and processes-literally everything from high technology to basic consumer goods. The International Electrotechnical Commission (IEC) is another standards setting organization. IEC works closely with ISO on technology-related standards development and thus the completed standards in this arena are credited as ISO/IEC standards.
The ISO/IEC committee that develops standards for information technology is the Joint Technical Committee 1 (JTC 1).
Prior to 2002, biometric standardization took place in two separate committees within ISO’s JTC 1: the JTC 1 / SC 17 committee on card and personal identification technology and the JTC 1 / SC 27 on IT security techniques. In June 2002, however, JTC 1 / SC 37 was created with a dedicated focus on biometrics, effectively consolidating the ISO work on the topic.
Countries participating in ISO do so by appointing representatives from their respective national standards bodies. In the United States, the national standards body is called the American National Standards Institute (ANSI). ANSI serves as the U.S. representative on ISO committees.
ANSI created a separate group to serve as a technical resource for the various ANSI committees covering information technology. This group is called the International Committee on Information Technology Standards (INCITS). According to its mission, INCITS is ” the primary U.S. focus of standardization in the field of Information and Communications Technologies (ICT), encompassing storage, processing, transfer, display, management, organization, and retrieval of information. As such, INCITS also serves as ANSI’s Technical Advisory Group (TAG) for ISO/IEC Joint Technical Committee 1.”
The group within INCITS that provides technical assistance on biometrics is called M1. M1 works with the members of ANSI that serve as the U.S. representatives on ISO/IEC JTC 1 / SC 37.
Outside of JTC 1, a separate ISO committee also works with biometric standardization. Technical Committee 68 (TC68) covers issues related to Banking, Securities, and Financial Services. TC68’s Sub Committee 2 (SC2) focuses on Security Management and General Banking Operations. It is here that the issues related to biometric technologies are examined.
Just as JTC 1’s ANSI representatives rely on INCITS to provide technical assistance, TC68’s ANSI representatives look to a separate body to serve the function. X9 serves as the TAG for ANSI’s TC68 efforts. X9 develops and publishes voluntary, consensus technical standards for the financial services industry. More than 300 organizations with interest in the financial services industry participate in X9’s technology committees. Within X9’s Data and Information Security Committee (X9F), Subcommittee 4 (X9F4) focuses on cryptographic applications including biometrics.
In summary, two groups within ISO are working to establish international standards for biometrics: ISO/IEC JTC 1 /SC 37 and ISO TC68 / SC2. And each U.S. delegation to these ISO committees relies on a technical advisory group: INCITS M1 supports ISO/IEC JTC 1 / SC 37 while X9.F4 supports ISO TC 68 / SC 2.
Other standards and specifications bodies at work as well …
Other groups involved in the standards setting processes include both federal government entities and private sector consortiums.
The U.S. National Institute for Standards (NIST) is a non-regulatory federal agency within the U.S. Commerce Department’s Technology Administration. It’s stated mission is to “develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.” The Information Technology Laboratory (ITL) within NIST focuses on biometric standards, testing, and development.
· Biometric Consortium
The Biometric Consortium began meeting informally in 1992 and was officially founded in 1995. It is made up of representatives from U.S. government agencies with an interest in the advancement of biometrics. It is co-hosted by NIST and the National Security Administration.
· BioAPI Consortium
A group of companies interested in the development of biometric technologies came together in 1998 to form the BioAPI Consortium. The groups mission was to create an operating system-independent application programming interface (API) that could work with a variety of different biometric technologies.
The Organization for the Advancement of Structured Information Standards (OASIS) was established in 1993 under its original name SGML. The group focuses on the development of specifications relying on the concepts of structure information such as Extensible Markup Language (XML). Efforts in relation to biometrics involve the application of XML to biometric systems.
The standards themselves …
Now that the major entities and organizations involved in the development of the biometric standards have been identified, a review of the key standards can be presented.
- BioAPI v1.1
Achieving the initial mission of the BioAPI Consortium, the initial version of the BioAPI standard (v1.0) was released in March 2000. It specifies an API that functions across different biometric technologies. The current version (v1.1) was released one year later in March 2001.
- NISTIR 6529 / CBEFF
NIST and the Biometric Consortium published NISTIR 6529 in 2001 and then a revised version known as NISTIR 6529-A in 2002. Also known as the Common Biometric Exchange File Format (CBEFF), the standard describes a set of data elements to support various biometric technologies in a common manner. According to the 6529 documentation, “data can be placed in a single file used to exchange biometric information between different system components or between systems. The result promotes interoperability of biometric-based application programs and systems developed by different vendors by allowing biometric data interchange.”
- ANSI X9.84
X9’s ANSI X9.84 standard was approved by ANSI in February 2001. Titled, Biometric Information Management and Security for the Financial Services Industry, the standard specifies the minimum security requirements for managing biometric data in financial services applications.
- ANSI/INCITS 358
INCITS “fast tracked” the BioAPI v1.1 through the standards process within ANSI and its approval was completed in February 2002, at which point it received the standards title of ANSI/INCITS 358.
· XCBF v1.1
The XML Common Biometric Format (XCBF) was developed by Oasis and defines a common set of secure XML encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529).
To date, there have been no biometric standards issued from ISO. Though several projects are in progress (three within SC 37, one with SC 17, and another in TC68) none have made it through the lengthy process required for ISO ratification. With the current push to incorporate biometrics into such pervasive documents as drivers licenses, passports and visas, and government-issued identification cards, the pressure on the industry and the standards bodies to expedite the process is significant.
According to Mr. Stapleton, ” consolidation and resolution of the biometric standards at an international level will occur over the next 18 months, followed by national adoptions and vendor offerings over the following 18 months.”
The coming months and years should be extremely interesting and critical for these technologies and players bringing them to bear.