biometric identity assurance services · • establish an industry-standard set of biometric...
TRANSCRIPT
BIASBIASBiometric Identity Assurance Services
29 October 2009
Catherine Tilton
8th Annual Smart Cards in Government Conference
BIAShttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=bias
• Biometric Identity Assurance Services• Collaborative project of INCITS and OASISCollaborative project of INCITS and OASIS• Defines a framework for deploying and invoking
biometrics based identity assurance capabilities thatbiometrics-based identity assurance capabilities that can be readily accessed using services-based frameworks (e.g. Web services).frameworks (e.g. Web services).– To remotely invoke biometric operations across an SOA
infrastructure.infrastructure.
ServicesBindings
BiometricOperations
Bindings
Biometric systems becoming more sophisticated
• Larger and more complex
• Enterprise architectures built on the SOA model & standards
• Emphasis on data sharing & reuse of resources/services
The need for endor independence m ltiple so rces• The need for vendor independence, multiple sources– Departure from custom solutions– Embracing of open systems standards– Embracing of open systems, standards
• New requirements for Interoperability & FlexibilityNew requirements for Interoperability & Flexibility
Biometric services – What’s missing?
Biometric Applications Biometric Resourcespp
?ANSI/NIST-ITL 1-2000/7 ??BioAPI/BIP ?
Other ?
• Biometric Capture• Biometric Data Format
Q alit Check
• Biometric Databases• 1:N Search Engines
1:1 Verification
• In reviewing the current biometric related standards portfolio and
• Quality Check • 1:1 Verification
• In reviewing the current biometric-related standards portfolio and system oriented architecture (SOA) references, it became apparent that a gap existed in the availability of standards related to biometric services.
Goals• Establish an industry-standard set of biometric identity
management services– This will allow applications and systems to be built upon an
open-system standard rather than implementing custom one-off solutions for each service provideroff solutions for each service provider
• Ease the implementation of and access to such services since pthe basic services are pre-defined and can be re-used
• Facilitate federated, cross-organizational use of biometric services
BIAS – Requirements• General
– Manage biometric & associated biographic data for a given bj t/ l tisubject/population
– Perform biometric operations (e.g., searches) against a population(s)p p ( )
• Specific– Provide ability to remotely invoke biometric operations across an
SOA infrastructure, decoupling the service from the interface (and requester) that calls it.q )
– Provide business level operations, without constraining the application/business logic that implements those operations.P id b i biliti th t b d t t t hi h– Provide basic capabilities that can be used to construct higher level, aggregate/composite operations.
– Be as generic as possible – technology, framework, and application domain independent.
INCITS & OASIS collaboration
• Development of the BIAS standard requires expertise in two distinct technology domains to ensure that the final specification provides thetechnology domains to ensure that the final specification provides the right structure, functionality, and technical details:– Biometrics, with standards leadership provided by INCITS M1
Service Architectures (initially focused on Web services) with standards– Service Architectures (initially focused on Web services), with standards leadership provided by OASIS
• Close collaboration between both standards organizations is required:• Close collaboration between both standards organizations is required:
INCITS M1 OASISProvide biometrics expertise Provide WS/SOA/XML expertisepDefine “taxonomy”:
– Biometric operations– Data Elements
pDefine Web services bindings:
– Schema– Protocol
• Existing standards are available in both domains and many of these standards will provide the foundation and underlying capabilities upon
hi h th bi t i i d dwhich the biometric services depend.
BIAS system context (INCITS)
• BIAS services:
– are modular and independent operations which can be assembled inwhich can be assembled in many different ways to support a variety of business processes.
– may be implemented with differing technologies on
lti l l tfmultiple platforms.
– can be publicly exposed di tl d/ tili ddirectly and/or utilized indirectly in support of a service-provider’s own public services.public services.
BIAS system context (OASIS)
• Defines a SOAP Profile to implement the “abstract”implement the “abstract” services specified in INCITS M1.
• Includes:– WSDL / XML schema– Data model / data dictionary– Message structure / rules– Error handling– Use cases & samples
Biometric resources• BIAS services are intended to offer a consistent and
common interface to various system resources, which i l dmay include:
– A 1:1 fingerprint verification matching server– A 1:1 fingerprint verification matching server– A 1:N iris search/match engine– A facial biometric watch list– A criminal or civil AFIS system– A name-based biographic identity database
A hi f bi t i id tifi– An archive of biometric identifiers– A gallery/population of subjects
Person-centric & Encounter-based systems
BIAS operations• Subject
– Create/delete subjectAdd/ bj t f
• Searching/processing– Verify subject
Id tif bj t– Add/remove subject from gallery
• Biographics
– Identify subject– Check quality– Classify biometric data
– Set/list biographic data– Update/delete biographic
data
y– Perform fusion– Transform biometric data
• Aggregate services– Retrieve biographic data
• BiometricsSet/list biometric data
• Aggregate services– Enroll– Identify
– Set/list biometric data– Update/delete biometric
data
– Verify– Retrieve information
• Asynchronous results retrieval– Retrieve biometric data Asynchronous results retrieval• Query Capabilities
Representing biometric data• To meet BIAS goals, any type of biometric
information needs to be able to be represented and used in the services. XML
• BIAS utilizes the existing CBEFF standard (ISO/IEC 19785 1:2006) to represent biometric data
CBEFFMetadata
19785-1:2006) to represent biometric data.– BIAS does not require any particular CBEFF
patron format.BIAS i l t ti t
BIR– BIAS implementations may support one or
multiple CBEFF patron formats. BDB
• BIAS specification includes an XML representation of CBEFF header information.
e.g., ANSI/NIST• Originally, BIRs were binary only (embedded Base-64
or XOP).– Broadened to allow “pure” XML as well as BDBs only
g ,ISO, INCITSNIEM, EFTS
Broadened to allow pure XML as well as BDBs only (using the XML CBEFF metadata as required) and URIs.
Representing biographic data• BIAS provides flexibility for the amount and types of biographic
data supported by implementing systems.
• BIAS provides two methods for representing biographic information:– A set of individual data items (name/type/value combinations)– An existing format, such as:
• Electronic Fingerprint Transmission Specification (EFTS) [DOJ-CJIS]• National Information Exchange Model (NIEM) [DOJ/DHS]• xNAL: Name and Address Standard [OASIS Customer Information [
Quality TC]• HR-XML [HR-XML Consortium]• and others• and others …
• Can include contextual & document information as well.
Example use case – employee credentialing
Use case steps• Pre-enrollment
BIAS operations• Create Subject; Set Biographic
– Access website, enter biographic data, make appointment
• Enrollment
Data
• Create Subject; Set Biographic • Enrollment– Enter or verify biographic data– Scan/validate source documents
j ; g pData OR Retrieve Biographic Information; Update Biographic Data
– Capture tenprints, facial photograph
• Enrollment processingDuplicate check
• Set Biometric Data
• Identify Subject; Add Subject to– Duplicate check– Watchlist check/threat screening*– Criminal history records check*
• Identify Subject; Add Subject to Gallery
– Name based checks*
* Typically through an external agency
Employee credentialing use case (cont’d)
Use case steps• Credential issuance
BIAS operations
– Generate card production package
– Produce & ship card
• Retrieve Biographic Data; Retrieve Biometric Data
Produce & ship card– Pickup card; Verify fingerprint– Activate card
• Verify Subject
• Privilege granting– Present/validate card– Verify fingerprint (against card)Verify fingerprint (against card)– Enroll operational biometric
(optional)Add to local PACS
• Create Subject; Set Biographic Data
– Add to local PACS
• Access control– Present card; Read biometric • Verify Subject (if not local match);– Capture & Match biometric
• Verify Subject (if not local match)
Lower level use case
Historical timeline
Jan06INCITSProject
May08INCITS 442
Oct08442 R i i
Oct09442 R i iProject
ApprovedINCITS 442Published
Draft DevelopmentJointWorkshop
442 RevisionInitiated
442 RevisionApproved
2006 20092007 2008
Feb06 Apr08 Feb/Mar09Drafts of BIAS
Messaging Protocol Nov09Feb06OASIS
BIAS TCChartered
Apr08Scope chg toSOAP Profile
Feb/Mar09Informal
Public ReviewBIAS SOAP Profile
Messaging Protocol Nov09Ready forPub. Rev.
Status
• INCITS 442 Revision– Publication expected shortlyp y
• OASIS BIAS SOAP Profile at draft v10– Goal is to ballot for public review in Nov09
• Reference implementations sought
BIAS TC members
• Members– BAH
• Observers– ABA– BAH
– Daon– DHS
– ABA– GS1– Lockheed– DHS
– DoD– NIST
– Lockheed– PA Assoc. of Notaries– Sun– NIST
– OSS Nokalva– Raytheon
– Sun– Wells Fargo– EDS*– Raytheon
– Raining Data*– SAFLINK*
– EDS– Fujitsu*– Oxford Univ *– SAFLINK – Oxford Univ.– PA Consulting*
* Previous members
For your attention!
Catherine TiltonCh i OASIS BIAS I t ti TC
Matt SwayzeEdit INCITS BIAS j tChair, OASIS BIAS Integration TC
VP, Standards & Technology, Daon11955 Freedom Drive, Suite 16000
Editor, INCITS BIAS project
Director, US Professional Services, Daon11955 Freedom Drive, Suite 1600011955 Freedom Drive, Suite 16000
Reston, VA [email protected]
11955 Freedom Drive, Suite 16000Reston, VA [email protected]