Biometric Information Security Management Phillip H. Griffin Information Security Consultant GRIFFIN Consulting
Biometric Security Standards• X9.84 - 2010 Biometric Information Management and Security  –   Industry neutral information...
Biometric Security Standards Content                                      X9.84 ISO 19092 Biometrics Overview & Tutorial  ...
Biometric Security StandardContent                             X9.84   ISO 19092Audit Checklist (BVCO)                   ...
X9.84 – A Biometrics TutorialBiometric Technology Overview  – Basics    ”Biometric identification leverages the universall...
X9.84 Authentication System ComplianceBiometric System Auditor Checklist  Biometric Validation Control Objectives    Envir...
X9.84 Authentication System ComplianceBiometric System Event Journal Shows that an organization provides reasonable assura...
Extending Biometric Template InformationBiometric Template Attributes Attributes can be bound to a template using a detach...
Biometric Security Management Attributes   <Modality>     <BiometricType> fingerprint </BiometricType>     <BiometricType>...
Binding Security Attributes to Reference Templates<Detached-Signature id=1056>   <Attributes>      <Hash> ▪▫▪▫ </Hash>    ...
Biometric Security Management Layer                         Identity                           and                        ...
For a Deeper Dive …  • ANSI X9.84 : 2010 -       Biometric Information Management and Security  • ANSI X9.73 : 2010 -     ...
Upcoming SlideShare
Loading in …5
×

ISSA Web Conference - Biometric Information Security Management

603 views
367 views

Published on

August 2010 presentation.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
603
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ISSA Web Conference - Biometric Information Security Management

  1. 1. Biometric Information Security Management Phillip H. Griffin Information Security Consultant GRIFFIN Consulting
  2. 2. Biometric Security Standards• X9.84 - 2010 Biometric Information Management and Security – Industry neutral information security standard – Financial services specific use cases – Became a US national standard in 2003 – Revised 2009 • Wells provided editor; Griffin created secure abstract schema • Selectively incorporates ISO 19092 improvements• ISO 19092 – Extends & internationalizes X9.84-2003 – McCormick, US expert; Griffin, standard editor – Omitted important X9.84 technical content – Omitted schema for practical implementation 2
  3. 3. Biometric Security Standards Content X9.84 ISO 19092 Biometrics Overview & Tutorial   Technical Considerations & Architecture   Biometric Information Security Management   Cryptographic Controls and Techniques  Physical Controls   ASN.1 Schema (compact binary & XML markup)  Secure Biometric System Event Journal  3
  4. 4. Biometric Security StandardContent X9.84 ISO 19092Audit Checklist (BVCO)  Match Decision Protocol ISO 8583 Retail Message Extension Data Flow Diagrams & Descriptions Security Considerations  Public Policy Considerations Business Use Cases   4
  5. 5. X9.84 – A Biometrics TutorialBiometric Technology Overview – Basics ”Biometric identification leverages the universally recognized fact that certain physiological or behavioral characteristics can reliably distinguish one person from another “Biometric Types – Fingerprint (Voice, Signature, Iris, Retina, Face, …) ”The pattern of friction ridges and valleys on an individuals fingertips is considered unique to that individual.“ 5
  6. 6. X9.84 Authentication System ComplianceBiometric System Auditor Checklist Biometric Validation Control Objectives Environmental Controls – A biometric system within or employing an IT infrastructure requires these controls for a secure implementation Key Management Lifecycle Controls – Needed when a biometric system employs cryptographic protection, e.g., digital signatures for data integrity & origin authentication, and encryption for confidentiality Biometric Information Lifecycle Controls – A biometric system enrolls individuals by capturing biometric data to generate, distribute, use, and eventually terminate templates, similar to a PKI. 6
  7. 7. X9.84 Authentication System ComplianceBiometric System Event Journal Shows that an organization provides reasonable assurance that environmental, key management lifecycle, and biometric information life cycle events are accurately and completely logged – that the operation of the biometric system meets the control objectives Confidentiality & integrity of current & archived event journals maintained Complete event journals are securely and confidentially archived in accordance with disclosed business practices Event journals are reviewed periodically by authorized personnel 7
  8. 8. Extending Biometric Template InformationBiometric Template Attributes Attributes can be bound to a template using a detached signature. Detached signatures are stored separately from the template itself. Detached signatures do not interfere with template use by a biometric service provider, say during the biometric matching process. Signature verification of information security management attributes that are cryptographically bound to a biometric reference template can be performed by another application process, perhaps by a Web Service. 8
  9. 9. Biometric Security Management Attributes <Modality> <BiometricType> fingerprint </BiometricType> <BiometricType> iris </BiometricType> <Modality> <Factors> 2 </Factors> -- Two factor authentication <Attempts> 3 </Attempts> -- Lock after 3 bad tries <BiometricPolicy> <policyIdentifier> 1.2.3.4 </policyIdentifier> <policyReference> http://phillipgriffin.com/policy/99 </policyReference> </BiometricPolicy> 9
  10. 10. Binding Security Attributes to Reference Templates<Detached-Signature id=1056> <Attributes> <Hash> ▪▫▪▫ </Hash> <factors> 2 </factors> <SAML> ▪▫▪▫ </SAML> BSP <Bank> ▪▫▪▫ </Bank> <userID> ▪▫▪▫ </userID> ▪▫▪▫ Detached signatures can bind security and Database privacy attributes to biometric templates . 10
  11. 11. Biometric Security Management Layer Identity and Access Management BSP User Auth IAM / BSP API Biometric Security Password Management Application Event JournalUser BSM PKI Signed Attributes 11
  12. 12. For a Deeper Dive … • ANSI X9.84 : 2010 - Biometric Information Management and Security • ANSI X9.73 : 2010 - Cryptographic Message Syntax (CMS) – ASN.1 and XML • ISSA Journal, January 2007: ISO 19092: A Standard for Biometric Security Management 12

×