Telebiometric information security and safety management
TELEBIOMETRIC INFORMATION SECURITY AND SAFETY MANAGEMENT1 Phillip H. Griffin, CISM Booz | Allen | Hamilton, Linthicum, Maryland USA ABSTRACT collection point should document system compliance to safety and security policies in a secure journal, and helpOrganizations that rely on human-oriented technologies guide operations.such as telebiometrics should protect and manage thesafety and security of their physical and information assets. The international biometric information management andData that documents the safe and secure operation of security standard, ISO 19092 recommends that compliancetelebiometric system devices should be collected and of a biometric system "should be periodically validatedcaptured in an information security and safety event according to the organizations [sic] policy, practices andjournal. Event journal data provides an audit trail that procedures" . ISO 19092 defines a set of secure eventshould be protected using digital signatures, encryption journal records that "should be used in the capture of theand other safeguards. A system heartbeat record should validation material" . However, the standard does notdocument and monitor the safety, performance, and define a telebiometric system heartbeat record foravailability of telebiometric system devices and alert system monitoring and managing the safety, security andadministrators to security and safety events and changes. performance of biometric devices in a telebiometric system.Heartbeat data should provide metrics that inform thecontinuous improvement of a telebiometric information 2. DATA SECURITYsecurity and safety management program. A signcryptioncryptographic message wrapper should protect event Telebiometric information systems are vulnerable to loss ofjournal, biometric reference template, and other data integrity, origin authenticity, and confidentiality whentelebiometric information to promote user security and their biometric data are transferred on "telecommunicationsrespect for user privacy rights. network or via wireless communication devices", such as smartphone and tablet computers, using "wireless LAN or Keywords— ASN.1, signcryption, telebiometrics Bluetooth" . The raw biometric data in a biometric sample is vulnerable to being "altered or intercepted by an 1. INTRODUCTION attacker and used for illegal purposes" when being sent "to the signal processing component" . Biometric data isOrganizations that rely on telebiometric technology should also subject to attack when transmitted for "storage inprotect and manage the safety and security of their registration or to the comparison component intelebiometric assets . Physical security and personnel authentication" .security are important telebiometric considerations, and twoof the pillars of information security management. The safe When biometric devices are used for identification oroperation and performance of telebiometric systems are verification, even when protected by liveness detection,closely related to availability, a cornerstone of information "live-scanned data can be intercepted" during transmissionsecurity. Telebiometric systems safety management and and "replaced by forged biometric data" . If biometricperformance monitoring should be integrated into the reference templates must be transferred, the confidentialityorganizations overall information security management of their biometric data must be ensured. When templates areprogram. stored in a centralized template management system, their authenticity and integrity, as well as the confidentiality ofThis management program should be based on safety and their biometric data, must be protected from purposeful orsecurity policies designed to achieve the objectives of the accidental modification and from attack by trusted insiders.organization. A risk-based approach should be used toselect and impose proper controls and to monitor their ITU-T X.1086 proposes "countermeasures to ensure dataeffectiveness. A periodic heartbeat message sent from each integrity, mutual authentication, and confidentiality" tonode of a telebiometric system to a central management1 Paper accepted for presentation at “Building Sustainable Communities"ITU Kaleidoscope Conference, Kyoto, Japan, 22-24 April 2013,http://itu-kaleidoscope.org/2013
protect telebiometric information and users against threats, "telecommunication systems and biometric devices" .such as "hijacking, modification and illegal access" , During this contact, telebiometric data from one or moreand ITU-T X.1084 specifies a biometric authentication sensors is "recorded by a measurement instrument" toprotocol and telebiometric system model profiles . The collect biometric samples . When "the human bodyX.1086 standard requires that personally identifiable meets electronic or photonic or chemical or material devicesbiometric data, such as the "faces, fingerprints, irises, and capturing biometric" data, the safe operation of thesevoices" of users, be protected by a confidentiality safeguard devices must be assured .and treated as the "providers private information" . ISO19092 also requires confidentiality for biometric data and ITU-T Recommendation X.1081 defines a "framework forrecommends that cryptographic safeguards ensure the identifying and specifying safety aspects of telebiometrics"integrity and authenticity of biometric objects . . This international standard "provides a structure for categorizing the interaction of human beings withDigital signatures based on the certificates in a Public Key telecommunication terminals" . The X.1081 frameworkInfrastructure (PKI) can be coupled with encryption can be used to derive "safe limits for the operation oftechniques to protect the confidentiality, integrity, and telecommunication systems and biometric devices" .authenticity of biometric data and associated information.The SignedData cryptographic message used to sign X.1081 defines taxonomy of "all possible human-deviceelectronic mail can provide data integrity and origin interactions" . This taxonomy provides a set of ASN.1authenticity for an entire biometric object. Once created, the (Abstract Syntax Notation One)  information objectSignedData message can be encapsulated in an identifiers whose values can be included in a biometricEncryptedData message to provide confidentiality for the system heartbeat message that documents system safety andentire signed object . other operational characteristics. These values represent the safety posture of an active telebiometric system at a givenHowever, the signature followed by encryption approach point in time. Safety posture can be specified usingemployed in electronic mail systems lacks the processing "quantities and units of measurement based on the ISO/IECefficiency demanded by modern telebiometric applications. 80000-series of standards" . These values can beThe electronic mail approach also provides insufficient compared against device manufacturer recommendations, togranularity. The entire biometric object must be encrypted, ensure safe operation over the life of a device.while only a few selected elements in biometric objectsmight require confidentiality protection. A more efficient, 3.2 Information Managementgranular alternative for encrypting selected fields in signedtelebiometric data is described in this paper. Safety posture information that documents the operation of telebiometric system devices should be captured in a secureThis granular approach uses a new cryptographic message system event journal. Journal records should providetype, SigncryptedData . This secure message allows a compliance validation material , such as evidence thatsender to sign and encrypt selected fields in a biometric equipment operation falls within the recommended safetyobject, and then to sign the entire object. SigncryptedData levels for which the equipment manufacturer acceptscan provide confidentiality only where it is needed, and data liability. System safety posture can be used operationally tointegrity and origin authenticity over the entire object in a determine trends in device behavior over time. These trendssingle cryptographic message. may indicate that replacement, adjustment, repair, or other corrective action is needed to ensure public safety, system 3. PUBLIC SAFETY performance, and availability.3.1 Telebiometrics Compliance of a telebiometric system to the availability, performance, and safety objectives of the organization should be periodically validated. Secure system eventBiometric recognition is a key form of automated journals should provide validation material that can be usedidentification and authentication based on the ability to to determine system compliance to organization policiesdistinguish individuals by their physiological or behavioral . Independent third parties should use the journal totraits. Networked biometric systems are "increasingly used validate system safety compliance and publish formalin a wide range of applications"  that enhance the quality reports to ensure public trust in the ethical management andof human life, including healthcare, law enforcement, safe operation of telebiometric systems. Metrics gatheredborder control, and financial services. These applications from system event journals should be used to informare enabled by "advanced pattern recognition algorithms management decision making, document the safety postureapplied through powerful ICT"  that merge remote of the organizations biometric devices, and for continuousbiometric sensors and telecommunications. improvement of the organizations information security and safety management program.To interact with biometric recognition applications, ahuman being must come into physical contact with
4. FUTURE STANDARDIZATION Metrics collected from journal records can inform the continuous improvement of a telebiometric information4.1 Focus security and safety management program.ITU-T Study Group 17 (SG17) is widely known for its An ASN.1 schema for a telebiometric system heartbeatexpertise in the development of information and message should be standardized by ITU-T. This messagecommunications technology (ICT) standards. Unlike should be recorded in a secure telebiometric system eventorganizations limited to a single technology domain, such as journal. Data values that measure device operational safetybiometrics or security, SG17 can bridge multiple domains, should be included in the heartbeat message. These valuesbringing them together in standards with a cross industry should be associated with those identified in the X.1081focus that benefit multiple communities. Through its taxonomy . Security and performance information oncommunications process and liaison activities, SG17 the quality of a remote verification process of a biometricengages experts from across the world to standardize device should be defined as an optional heartbeat messagesolutions that have a global impact. It is well positioned to field that carries an ISO/IEC 24761 report . The reportplay a central role in the development of standards that would not be used in this context for making an informedenhance the safety, security, and privacy of individuals and access control decision, but to provide operational valuesmake sustainable communities possible. useful for system administration and for information security and safety management. SG17 includes experts in biometrics, information security,public key infrastructure, schema definition languages, and 4.3 Telebiometric event journaltelecommunications technologies. The following proposalsfor standardization will require expertise from all of thesedisciplines. In particular, the involvement of the abstract ITU-T Study Group 17 should develop a standardsyntax, information security, telebiometrics, and Directory telebiometric event journal. This effort should provide anexperts of SG17 will be needed to ensure the development extensible ASN.1 schema  for journal records thatof high quality solutions that are safe and secure. This makes widespread information exchange possible. Acombination of expertise and cooperative engagement standardized schema would facilitate the development ofmakes SG17 uniquely suited to lead in the development of interoperable applications from multiple vendors.the following proposed standards that cross industry Extensibility would support sustainable, flexible systemsboundaries and technology domains. that can evolve over time, and allow any adopting community with a need to extend the schema.4.2 Heartbeat message This ASN.1 schema should support both compact binary and XML journal formats. Providing two ways to representTelecommunications-enabled biometric devices can support journal records would allow peer applications to supportreal time remote management and monitoring by system either or both formats. Application designers could chooseadministrators. These devices can send periodic system the format best suited for use in a given context. They mightheartbeat records to alert system administrators of security use XML locally, then store or exchange telebiometricand safety events, such as changes in device settings or information efficiently using a compact binary format asgeographic location. Over time, heartbeat records can depicted in Figure 1.provide evidence of the safe and secure operation of atelebiometric system.In aggregate, heartbeat record data provides a measure ofthe performance and availability of the devices in a system.Coupled with security event information, this data can beused to present a dashboard view of the security and safetyposture of the system. When compared against policy Figure 1. XML and binary information exchangerequirements, metrics derived from heartbeat record datacan indicate whether operations are achieving the policy Binary event journal messages are appropriate for use inobjectives of the organization. environments constrained by mobility, limited battery life, or bandwidth (e.g., wireless communications using handThe safe and secure operation of telebiometric systems can held and personal devices). Compact binary journals arebe affected by "real-world factors such as 1) Human factors, needed when there are high volumes of transactions (e.g.,2) External environmental conditions, 3) System related mobile internet commerce) or limited storage capacity (e.g.,issues" . Heartbeat records logged in a secure common access (CAC), personal identity verification (PIV),telebiometric event journal provide an audit trail that and other smart cards). Telebiometric system devices thatdocument the safety and security posture of system devices. must transfer data over radio waves or congested communications links or with devices whose period of use
may be limited by battery life can benefit from using used to distribute X.509 certificates and certificatecompact binary formats, and still leverage XML markup revocation lists (CRLs). SignedData is one of a set ofwhen needed. cryptographic key management messages referred to as Cryptographic Message Syntax (CMS) .A standard for a telebiometric event journal should buildupon the event journal defined in the ISO 19092 biometric SignedData is widely deployed in network securityinformation management and security standard. This protocols, including Secure Sockets Layer (SSL) andstandard predates the emergence of cloud computing, smart Transport Layer Security (TLS). SignedData is used tophones and tablets, and the convergence of wireless distribute X.509 certificates in the Organization for thetelecommunications and biometric technologies. A new Advancement of Structured Information Standards (OASIS)ITU-T standard could build on the security requirements of Web Services Security (WSS) X.509 Security Token.ISO 19092 to improve the security, privacy and safety of SignedData is included in tool kits on a number of popularmodern telecommunications users. Extensions could include operating systems, including several versions of Windowssupport for system availability and performance monitoring and Unix servers.and the safe operation of telebiometric devices. Several widely deployed CMS standards define aTelebiometric event journals and records should be signed SignedData message. These include the RSA Public Keyobjects. Without the protection of a digital signature, the Cryptography Standard (PKCS) #7, the Secure Electronicintegrity of telebiometric information cannot be assured. Mail (S/MIME) CMS standard defined by the InternetDigital signatures can provide integrity assurance that Engineering Task Force (IETF), and the X9.73information has not been altered since being signed. Cryptographic Message Syntax: ASN.1 and XML standardSignature verification can also provide evidence of data . However, there is no international CMS standard thatmodifications that might otherwise go undetected. With uses valid ASN.1 syntax to define its message schema.PKI-based X.509 certificates , the origin of a signer canbe determined. This determination can provide assurance The data security of a number of international biometricthat the information source can be trusted and allow sources standards depends on the cryptographic schema defined inthat are not trusted to be detected. the IETF CMS standard. IETF CMS SignedData is used in the "International Civil Aviation Organization (ICAO)Multimodal biometrics applications depend on reliable data standard for machine-readable travel documents (MRTD)collected from multiple sensor locations and vendors. including electronic passports" , the ISO/IEC 24761International travel that depends on biometric enabled Authentication context for biometrics, and the ISO/IECpassports has led to an increasing need for sharing 19785-4 Common Biometric Exchange Format Frameworkbiometric and other personal information across legal and (CBEFF) – Security block format specifications.regulatory boundaries. Persons charged with maintainingour safety and security require reliable telebiometric Two informational IETF CMS publications contain validinformation to make informed decisions. This reliance on schema definitions. The message schema specified in thetechnology makes origin authenticity and data integrity normative IETF 3852 CMS standard  does not containcrucial for ensuring our communities are sustainable. valid ASN.1 syntax. Though the standard lists the current ASN.1 standards in its reference section, these versions of the ASN.1 standards are not used. Instead, the IETF 38524.4 Cryptographic schema CMS schema is based on X.208, the deprecated 1988 version of ASN.1 that was withdrawn as a standard in 2002Telebiometric information should be protected using . The known defects in X.208 were never correctedappropriate cryptographic safeguards and other before it was abandoned. These defects were corrected insecuritymeasures. System managers, regulators, and the the current ASN.1 standards .public should be confident of the integrity and authenticityof the telebiometric information used by decision makers to New types to support national languages were never addedensure public safety and security. Information assets that to X.208. The Distinguished and XML Encoding Rulesshould be protected include the biometric data of system were never defined for use with the X.208 syntax. The IETFusers, personally identifiable subscriber information, and CMS schema attempts to mix X.208 syntax with syntaxevent journal data used to improve information security and from post-1988 versions of ASN.1 in the same ASN.1safety management programs. These objects should be module, which is not allowed in the ASN.1 standards.signed using a digital signature associated with a PKI using Based on this ambiguous syntax, tools that implement thean ASN.1 SignedData cryptographic message. ASN.1 standards are not able to generate applications that conform to any version of the ASN.1 standards. TheSignedData is an extensible cryptographic message that reliance on invalid cryptographic syntax for data security inprovides data integrity and origin authenticity services using the ICAO, ACBio, and CBEFF standards does not enhancea PKI-based digital signature. SignedData is used in many the ability of these important biometric standards to providenetwork security protocols. One variation of the message is information assurance and security.
enabled watch lists, biometric reference templates, and [sic]ITU-T should create an international Cryptographic biometric elements in the Electronic BiometricMessage Syntax standard. This work should be developed Transmission Specification (EBTS)"  transactions usedby the security, PKI, and schema language experts in Study by law enforcement.Group 17 (SG17). A new CMS standard should be createdas a generic application of ASN.1 in the X.890-series of The SigncryptedData type allows biometric informationrecommendations and standardized jointly with ISO and objects to be signed, and for selected elements within theseIEC. The new CMS standard should contain valid ASN.1 objects to be encrypted. In the signcrypted-componentssyntax and its schema should support all of the compact mode, one of three proposed modes of operation, one orbinary and XML encoding rules. more elements of an information object are signcrypted. The resulting object is then cryptographically bound to oneThe X9.73 CMS standard contains valid syntax whose or more attributes under a digital signature. These signedbinary encodings are valid IETF CMS binary values. To the attributes must include a manifest of all of the elements ingreatest degree possible, XML encoded values of the X9.73 the information object that have been signcrypted.CMS standard should be valid encodings in the new ITU-TCMS standard. The ITU-T standard should follow the This field-level encryption capability coupled with a digitalapproach of the X9.73 standard and collect in a single set of signature makes the SigncryptedData type ideal for use inASN.1 modules the schema for all of the key management managing the safety and security of telebiometric systems,techniques defined in CMS. These techniques include key and for protecting the sensitive elements found in biometricagreement, password-based encryption, and constructive templates, verification reports, and event journals. Usingkey management. SigncryptedData, a biometric reference template can be signed, and the biometric data component within the template can be signcrypted using the same cryptographic4.5 Signcryption message keys. While there is security risk that must be managed when using cryptographic keys for more than one purpose,Signcryption is a relatively new cryptographic primitive this solution meets the security requirements of ISO 19092standardized in ISO/IEC 29150 . Signcryption uses a by ensuring the users biometric data remains confidentialspecial algorithm that blends together signature and within a reference template having origin authenticity andencryption schemes to perform digital signature and data integrity protection.asymmetric encryption functions simultaneously. Thishybrid cryptographic technique provides confidentiality, Rather than including SigncryptedData in the optionaldata integrity, and origin authenticity in a single, efficient signature block defined in the ISO/IEC 19785 CBEFFoperation. standard, stronger protection of biometric templates can be achieved when SigncryptedData is used as a messageEfficient cryptographic protection methods are needed in wrapper that encapsulates the entire template. A messagetelebiometric systems if they are to empower human users wrapper approach allows a trivial attack on referenceand manage their safety and security risk. Such methods templates to be detected using signature verification. Inhelp to ensure that telebiometric systems provide the environments in which the optional signature block is notprivacy and security citizens need to build sustainable required to be present, it is possible for a low skill attackercommunities, and the reliable management information to remove the entire signature block to thwart the signaturesystem providers need to ensure high quality, safe, reliable safeguards effectiveness. Telebiometric systems that serveservice. global communities of mobile users should ensure the effectiveness of security safeguards in all usage contexts.Signcryption offers a smaller message size and fasterprocessing speed compared to sign-then-encrypt signature When a biometric verification process is performed at afollowed by encryption techniques . Unlike safeguards remote location, identification and access managementthat rely on symmetric keys, the reliance of signcryption on (IdAM) systems must make authentication decisions usingasymmetric cryptography makes non-repudiation possible. devices in an uncontrolled environment. Relying partiesThese features make signcryption ideal for protecting may lack administrative control over the remote biometrictelebiometric system information, such as ISO/IEC 19785 devices used to authenticate users that access their systems.templates, ISO/IEC 24761 reports, and ISO 19092 journals. Remote biometric systems owned or operated by others may not be subject to the security and privacy policies of theIn the paper Protecting Biometrics Using Signcryption resource owners.presented at the 2012 ID360 Global Forum on Identity ,an ASN.1 schema for a signcryption message is defined. The ISO/IEC 24761 (ACBio) standard  provides relyingThe paper proposes that a new SigncryptedData type be parties security and performance information on the qualityadded to the X9.73 CMS  standard to extend CMS of a remote biometric verification process. ACBio transfersfunctionality. The proposed schema is based on the familiar a biometric verification process report to the relying party.SignedData type used to protect "electronic mail, biometric A digital signature associated with a SignedData message
protects this report. However, in the current version of A system heartbeat journal record should be defined alongACBio, this SignedData message is based on an IETF CMS with one or more records containing useful metricsschema, which does not conform to any version of the collected from journal entries. A field in this heartbeatASN.1 standards. record should allow optional inclusion of an ACBio systemVerifying the signature and validating the certification path verification report.from a report signer to a trust anchor provides the reportrecipient data integrity and origin authenticity assurance. ITU-T should create a new Cryptographic Message SyntaxThe report itself gives a relying party assurance that the (CMS) security standard whose messages are defined usingmatch decision returned by a remote biometric verification valid ASN.1 syntax. This new generic application of ASN.1system can be trusted. ACBio provides a means for should be standardized jointly with ISO/IEC. ITU-T experts“falsified reference templates, forged raw data” and should promote its adoption in international standards that“unreliable biometric devices”  to be detected. ACBio are important for securing telebiometric information, suchreports allow the security risk associated with remote as ICAO, ISO/IEC 19785 and ISO/IEC 24761. Improvingbiometric verification to be managed. The SignedData security standards that contain invalid ASN.1 syntax canmessage provides integrity and authenticity protection, but enhance the safety, security, and privacy of telebiometricdoes not protect the confidentiality of ACBio information. system users.ACBio respects human values by ensuring that its reports ITU-T should standardize the schema and associateddo not contain personally identifiable information, such as cryptographic processing of a new SigncryptedData type.biometric data from a biometric reference template or the This new type should be added to an ITU-T CMS standard.biometric sample of an identity claimant. However, the All of the signcryption mechanisms and cryptographicSignedData message wrapper does not prevent ACBio algorithm identifiers defined in the ISO/IEC 29150 standarddevice identification and operational information from  should be supported. Though signcryption is notbeing collected and viewed by an eavesdropper or by a intended for use in signing X.509 certificates, the Directorytrusted insider. Transport layer encryption could be used to standards should be examined to determine whetherprovide point-to-point protection, but that approach does modifications are needed to support signcryptionnot provide an end-to-end confidentiality solution. operations.ACBio reports contain biometric device identification, REFERENCESmatch control configuration settings, and match processinginformation that might benefit an attacker. This information  Biometrics and Standards. ITU-T Technology Watch Reportcould be aggregated over time to help plan attacks or to #12, December 2009. Retrieved November 21, 2012 fromidentify a weakness in a biometric system. Replacing the http://www.itu.int/oth/T230100000D/enSignedData wrapper with a SigncryptedData  wrapperwould add confidentiality services to the data integrity and  Dent, Alexander W. (2004). Hybrid cryptography, Cryptology ePrint Archive Report 2004/210. Retrievedorigin authenticity services provided by SignedData. This November 21, 2012, from http://www.signcryption.org/would extend the usefulness of ACBio to law enforcement, publications/pdffiles/Dent-survey-eprint-04-210.pdfdefense and intelligence environments, where access tosystem operational information may be restricted by  Griffin, Phillip H., Protecting Biometrics Using Signcryption.security classification level or on a need-to-know basis. Proceedings of ID360: The Global Forum on Identity, the Center for Identity, University of Texas at Austin, 2012.The SigncryptedData message could extend ACBio with Retrieved November 21, 2012, from http://phillipgriffin.com/ innovation.htm#ID360support for additional signed attributes added by any userwith a need. These attributes might include system heartbeat  ISO 19092:2008 Financial services – Biometrics – Securityinformation, operational safety and performance reports, framework.security classification markings or security and privacypolicy. For stationary equipment, a geolocation attribute  ISO/IEC 19785-1, Common Biometric Exchange Formatscould be used to monitor and detect unexpected relocation Framework – Part 1: Data element specificationof a system device.  ISO/IEC 24761 (2009), Authentication context for 5. CONCLUSION biometrics.  ISO/IEC 29150 (2011), Signcryption.ITU-T should create a standard telebiometric event journalwhose records are defined in an ASN.1 schema. Records  Larmouth, John, ASN.1 complete. San Francisco: Morganshould document biometric system security events Kaufmann Publishers, 2000. Retrieved November 21, 2012,following the events defined in ISO 19092 . Event from http://www.oss.com/asn1/resources/books-whitepapers-journals should be signed objects. When necessary, event pubs/larmouth-asn1-book.pdfjournal records should also be signed, and selected fieldsshould be encrypted to protect the privacy of human beings.
 Pour, Babak Goudarzi, There’s A Metric for That’: How ‘Big Data’ Impacts Biometrics Market and Industry, June 16,  Recommendation ITU-T X.1086 (2008). Telebiometrics 2012. Retrieved November 21, 2012, from protection procedures – Part 1: A guideline to technical and http://biouptime.com/2012/06/16/the-business-impact-of-big- managerial countermeasures for biometric data. data-on-biometrics/  RFC 3852 Cryptographic Message Syntax (2004). Internet Recommendation ITU-T X.208 (1988). Specification of Engineering Task Force (IETF). Retrieved November 21, Abstract Syntax Notation One (ASN.1). 2012, from https://www.ietf.org/rfc/rfc3852.txt Recommendation ITU-T X.509 (2008). The Directory:  X9.73-2010 Cryptographic Message Syntax – ASN.1 and Public-key and attribute certificate frameworks. XML. U.S.A.: American National Standards Institute (ANSI). Recommendation ITU-T X.680 (2008). Abstract Syntax Notation One (ASN.1): Specification of basic notation. Recommendation ITU-T X.1081 (2011). The telebiometric multimodal model – A framework for the specification of security and safety aspects of telebiometrics. Recommendation ITU-T X.1084 (2008). The telebiometrics system mechanism - Part 1: General biometric authentication protocol and system model profiles for telecommunications systems.