iTeh Standards logo
EURUSD
Your shopping cart is empty.
CEN

EN 419212-3:2017

(Main)

Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services - Part 3: Device authentication protocols

Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services - Part 3: Device authentication protocols

This part specifies device authentication to be used for QSCDs in various context including
   Device authentication protocols
   Establishment of a secure channel Data structures
CV-certificates Key management
The device authentication protocols shall apply to sole-control signature mandated by the EU-regulation eIDAS.

Anwendungsschnittstelle für sichere Elemente zur elektronischen Identifikation, Authentisierung und für vertrauenswürdige Dienste - Teil 3: Geräteauthentisierungsprotokolle

Interface applicative des éléments sécurisés utilisés comme dispositifs de création de signature électronique qualifiée (cachet) Partie 3: Protocoles d'authentification des dispositifs

La présente partie spécifie l’authentification de dispositif à utiliser pour les QSCD dans divers contextes, incluant//y compris :
   les protocoles d’authentification de dispositif ;
   la mise en place d'un canal sécurisé ;
   les structures de données ;
   les certificats CV ;
   la gestion de clés.
Il convient que les protocoles d’authentification de dispositifs s’appliquent à la signature sous contrôle exclusif imposée par le règlement eIDAS de l’UE [1].

Uporabniški vmesnik za varnostne elemente za elektronsko identifikacijo, avtentikacijo in zanesljivost storitev - 3. del: Protokoli avtentikacije naprav

Ta del opredeljuje overitev naprav, ki se uporablja za naprave za ustvarjanje kvalificiranih elektronskih podpisov (QSCD) v različnih kontekstih, vključno s/z:
• protokoli za overitev naprav,
• vzpostavljanjem varnega kanala,
• podatkovnimi strukturami,
• certifikati CV,
• upravljanjem ključev.
Protokoli za overitev naprav se morajo uporabljati za podpise pod izključnim nadzorom uporabnika, kar ureja uredba EU eIDAS [1].

General Information

Status
Published
Publication Date
19-Sep-2017
Withdrawal Date
30-Mar-2018
ICS
35.240.15 - Identification cards. Chip cards. Biometrics
Technical Committee
CEN/TC 224 - Machine-readable cards, related device interfaces and operations
Drafting Committee
CEN/TC 224/WG 16 - Application Interface for smart cards used as Secure Signature Creation Devices
Current Stage
9060 - Closure of 2 Year Review Enquiry - Review Enquiry
Start Date
04-Mar-2023
Completion Date
04-Mar-2023
Directive
910/2014 - Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing directive 1999/93/EC
Mandate
M/460 - Standardisation Mandate to the European Standardisation Organizations CEN, CENELEC and ETSI in the field of Information and Communication Technologies applied to Electronic Signatures
Ref Project
SIST EN 419212-3:2018 - Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services - Part 3: Device authentication protocols

Relations

Replaces
EN 419212-2:2014 - Application Interface for smart cards used as Secure Signature Creation Devices - Part 2: Additional services
Effective Date
08-Jun-2022
Replaces
EN 419212-1:2014 - Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic services
Effective Date
08-Jun-2022
EN 419212-3:2018 - BARVEEN 419212-3:2018 - BARVE
PreviousNext
Standard
EN 419212-3:2018 - BARVE
English language
117 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Uporabniški vmesnik za varnostne elemente za elektronsko identifikacijo, avtentikacijo in zanesljivost storitev - 3. del: Protokoli avtentikacije napravAnwendungsschnittstelle für Smartcards als sichere Signaturerstellungseinheiten - Teil 3: GeräteauthentisierungsprotokolleInterface applicative des éléments sécurisés utilisés comme dispositifs de création de signature électronique qualifiée (cachet)
Partie 3: Protocoles d'authentification des dispositifsApplication Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services - Part 3: Device authentication protocols35.240.15Identification cards. Chip cards. BiometricsICS:Ta slovenski standard je istoveten z:EN 419212-3:2017SIST EN 419212-3:2018en,fr,de01-februar-2018SIST EN 419212-3:2018SLOVENSKI
STANDARDSIST EN 419212-2:2015SIST EN 419212-1:20151DGRPHãþD

EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 419212-3
September
t r s y ICS
u wä t v rä s w Supersedes EN
v s { t s tæ sã t r s vá EN
v s { t s tæ tã t r s vEnglish Version
Application Interface for Secure Elements for Electronic Identificationá Authentication and Trusted Services æ Part
uã Device authentication protocols Interface applicative des éléments sécurisés utilisés comme dispositifs de création de signature d 5authentification des dispositifs
Anwendungsschnittstelle für Smartcards als sichere Signaturerstellungseinheiten æ Teil
uã Geräteauthentisierungsprotokolle This European Standard was approved by CEN on
s y March
t r s yä
egulations which stipulate the conditions for giving this European Standard the status of a national standard without any alterationä Upætoædate lists and bibliographical references concerning such national standards may be obtained on application to the CENæCENELEC Management Centre or to any CEN memberä
translation under the responsibility of a CEN member into its own language and notified to the CENæCENELEC Management Centre has the same status as the official versionsä
CEN members are the national standards bodies of Austriaá Belgiumá Bulgariaá Croatiaá Cyprusá Czech Republicá Denmarká Estoniaá Finlandá Former Yugoslav Republic of Macedoniaá Franceá Germanyá Greeceá Hungaryá Icelandá Irelandá Italyá Latviaá Lithuaniaá Luxembourgá Maltaá Netherlandsá Norwayá Polandá Portugalá Romaniaá Serbiaá Slovakiaá Sloveniaá Spainá Swedená Switzerlandá Turkey and United Kingdomä
EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre:
Avenue Marnix 17,
B-1000 Brussels
t r s y CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Membersä Refä Noä EN
v s { t s tæ uã t r s y ESIST EN 419212-3:2018

Device authentication Protocol Properties . 113 Bibliography . 115 SIST EN 419212-3:2018

Device authentication protocols;
Establishment of a secure channel;
Data structures;
CV-certificates;
Key management. The device authentication protocols should apply to sole-control signature mandated by the EU-regulation eIDAS [1]. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7816-4:2013, Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange ISO/IEC 7816-6, Identification cards — Integrated circuit cards — Part 6: Interindustry data elements for interchange ISO/IEC 7816-8:2004, Identification cards — Integrated circuit cards — Part 8: Commands for security operations ISO/IEC 9796-2:2010, Information technology — Security techniques — Digital signature schemes giving message recovery — Part 2: Integer factorization based mechanisms ISO/IEC 14888-3:2016, Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms 3 Device authentication 3.1 General This clause assumes that device authentication has to be performed as required in 3.3. Device authentication requires mandatory steps in order to provide a secure authentication. A device authentication is mutual and combines two mechanisms: - an ICC verifies the external world (TDA) and itself verified by the external world (CDA); - the two devices negotiate or exchange information to establish common symmetric session keys for subsequent operations. SIST EN 419212-3:2018

Authentication in general requires a defined order of steps to be processed. Violation of this order may result in the ICC aborting the process. The mechanism to control the proper order of execution steps are out of the scope of this standard. In order to distinguish which device authentication is the most appropriate for a given situation refer to Annex A. For the use of certificates the following table indicates the correct certificate type for each device authentication protocol. Table 1 — Certificate type for use with device authentication protocols Certificate Device Auth. CV Certificate self-descriptive CV Certificate non self-descriptive Attribute certificates self-descriptive 3.8 Key transport protocol - x - 3.5 Privacy protocol RSA - x - 3.5 Privacy protocol ELC x - x 3.6 mEAC x - x SIST EN 419212-3:2018

certificates for the subordinate CAs
link certificates in order to convey the public key(s). In order to use an ESIGN application a mutual authentication between ICC and customer terminal is required by the security policy. As PK algorithms are to be employed ICC and IFD authentication certificates are required. The ICC is the carrier of the ICC authentication certificate; carrier of the IFD authentication certificate could be a plug-in ICC as an example for the realization of an authentication module inside the Signature Creation Application (SCA). The handling of the DOs 5.7.9 and 5.7.10 are out of the scope of this standard. SIST EN 419212-3:2018

Figure 1 — Usage of link certificates for different key versions The example above shows PuK.CA.AUT(2002) available at the ICC. This key was brought to the ICC in 2002, however in 2003 the root key was changed and another key chain
was used when generating the IFD's certificate C.IFD.AUT(2003). In order to allow authentication of the IFD, in the above example the ICC might have to receive a link certificate LC.RCA.AUT(2003) first. This certificate is signed with the PrK.RCA.AUT(2002) and it transports the PuK.RCA.AUT(2003). After having verified the link certificate LC.RCA.AUT(2003) the ICC may now receive the certificates of the 2003-chain up to the C.IFD.AUT which carries the final public key required for authentication. If it can verify the incoming certificate with an existing public key, the ICC accepts the transported public key and may use it for the next instance of the chain. The 'start of trust' is always established with the first certificate, being verified with a public key that is available in the ICC. The example in Figure 1 considers a static Root CA key stored in the ICC. Hence, an IFD shall present a proper link certificate in every device authentication session. Alternatively, an ICC may provide the possibility to permanently store the new Root CA key, which would require the import of a link certificate only once. If the trust anchor has been permanently updated within the ICC, the 'start of trust' for subsequent device authentications is the new Root CA key. The certificate chain to be presented by the IFD is shortened. When verifying a certificate, the verifier shall verify the correct role of the signer. Only those roles being allowed to sign certificates may be accepted for the presentation of a certificate chain. The role of a certificate holder is specified in 5.7.4. 3.4 Authentication environments NOTE In [22] two environments are distinguished with respect to signature creation applications. SIST EN 419212-3:2018

Figure 2 — Trust of the environment 3.4.2 SCA in untrusted environment A device authentication shall be used if the operating environment of the ICC cannot be entirely trusted. This can be the case in public signature terminals or other devices, that cannot provide an a-priori secure channel.
Figure 3 — Communication in untrusted environment Device authentication is mutual. The ICC shall authenticate the IFD and vice versa. The order of authentication, however, may differ, depending on the implemented scheme. After successful device authentication, session keys are available on both sides to be used in subsequent transmissions. The appropriate secure messaging is in compliance with ISO/IEC 7816-4 and described in “9 Secure Messaging” [25]. Examples for an untrusted environment are: - SCA and QSCD are not at the same location, i.e. the card is remote; - usage of biometrics if the sensor is off-card; - usage of contactless cards. 3.4.3 Specification of the environment In general the IFD cannot evaluate a priori whether an environment is trustable or not. Therefore it shall be left to the card holder to decide, whether he may trust the application environment or not. The initiation of a device authentication in the application environment is out of the scope of this specification. 3.4.4 Display message mechanism Given, the card holder has initiated a device authentication this specification proposes a 'display message' mechanism in order to verify that the device authentication has been performed successfully. If used, after successful device authentication, a display message shall indicate the successful device authentication in order to inform the user about the existence of a trusted channel. The application of the display message is described in 3.13. SIST EN 419212-3:2018

GENERAL AUTHENTICATE(KID)1 (compliant to ISO/IEC 7816-4) DH: KID = DH.P || KIFD EC: KID = ECDH.P || KIFD Response = KICC
B\ BZ DH: compute KICC = grICC mod p EC: compute KICC = Comp(rICC G) DH:
compute KIFD/ICC = KIFDrICC mod p EC: compute KIFD/ICC = Comp(rICC KIFD) KICC DH: compute KIFD/ICC = KICCrIFD mod p EC:
compute KIFD/ICC = rIFD KICC
Secure messaging keys are derived on both sides according to 3.9 and [15]. Secure messaging (encryption) is activated. All following commands are protected by secure messaging with encryption as described in “Final command APDU construction” [24] Chapter 9.6.3. The SSC is initialized to a start value of '1'. 2 4 If PuK.CA.AUT is available in the ICC continue with step 7 5 Select PuK.RCA.AUT B\ BZ Select key. Response OK 6 PSO:Verify Certificate C_CV.CAIFD.CS_AUT B\ BZ Verify certificate. Response OK 7 Select the CA public key PuK.CAIFD.CS_AUT. B\ BZ Select key. Response OK 8 PSO:Verify Certificate C_CV.IFD.AUT B\ BZ Verify certificate. Response OK
1 For compliance to CWA 14890, the existence of the A6 template will indicate usage of the CWA 14890 method. This mechanism is restricted to the algorithms already supported in CWA 14890 in which case AES and elliptic curves are not supported. Step 2' DH: compute KIFD = grIFD mod p
MSE:SET:KAT (A6)
DH: DH.P || KIFD Step 3' GET DATA (KICC)
DH: compute KIFD/ICC = KICCrIFD mod p SIST EN 419212-3:2018

...|| h(...|| KIFD || S) ) with
S = SN.IFD || RND.ICC || KICC ||
DH.P EC: SN.IFD || DS[PrK.IFD.AUT] (
Comp(KIFD) || S ) with
S = SN.IFD || RND.ICC || Comp(KICC) || ECDH.P B\
ICC verifies signature. The IFD's identity is implicitly verified as known by the certificate C_CV.IFD.AUT.
BZ OK ICC has now authenticated the reader — SM (encryption) active The full information of DF.CIA may now be revealed to the IFD 4 12 READ BINARY of file EF.C.CAICC.CS_AUT b B\ BZ Read data from specified file. C.CAICC.CS_AUT as response 13 READ BINARY of file EF.C.ICC.AUT B\ BZ Read data from specified file. C.ICC.AUT is in response APDU The Public Key of ICC is now known by the reader, and can be trusted 5 14 MSE:SET PrK.ICC.AUT B\ BZ Select PrK of ESIGN application. Response OK SIST EN 419212-3:2018

...|| h(...|| KICC || S)
) with
S = SN.ICC || RND.IFD || KIFD ||
DH.P EC: SN.ICC || DS[PrK.ICC.AUT] (
Comp(KICC) || S ) with
S = SN.ICC || RND.IFD ||
Comp(KIFD) || ECDH.P Two-way authentication is now complete c a If the data are not organized in a file, it may be read from data objects instead. b This step is required only if the reader does not have the public key of the CA. c The SSC will be updated on both sides according to 8.10 3.6.2.2 Step 1 — Read key exchange parameters If the IFD does not have the required key exchange information available, it may read them from a global data file DH:EF.DH / EC:EF.ELC or data objects respectively. EF.DH/EF.ELC may contain public algorithm quantities which depend on the authentication algorithm. For instance: - in a Diffie-Hellman Key exchange scheme, the public key quantities would be the public parameters g, p and q (refer to “Diffie-Hellman key exchange parameters” [24] Chapter 11.3). - In an Elliptic Curve Diffie-Hellman Key exchange scheme, the public key quantities would be the public parameters p,a,b,G,n and the optional cofactor h (refer to “ELC key exchange public parameters” [24] Chapter 11.7). SIST EN 419212-3:2018
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

CEN
CEN/TS 17489-5:2025(Main)
Personal identification - Secure and interoperable European breeder documents - Part 5: Trust establishment and management processes
SIST-TS CEN/TS 17489-5:2025

1.1   Objective
This document is intended for the use of breeder document issuing authorities both policymakers and technical, for having uniform formats that conform to printed as well as digital requirements of CEN member and associated states (including EU member states).
The objectives are:
a)   provision of a common set of formats of breeder documents – printed and digital to be implemented by CEN member and associated states (including EU member states), with the extended objective of their acceptance internationally;
b)   the focus is on having common recognizable formats as well as prevention of identity fraud, particularly related to the use of breeder documents to obtain national and international ID documents, such as passports, and residence permits.
1.2   Human dimension of identity management
Each country’s identity management system also provides a framework for observing and protecting many of the human rights embodied in international declarations and conventions. Depending on the provisions in place, the system can ensure that citizens can exercise a wide range of rights, such as rights to property, privacy, freedom of movement and free choice of place of residence, as well as access to social services such as education, healthcare and social security. In states with more advanced technological infrastructure, population registration provides the basis for the establishment of a number of citizen-oriented computerized services, also known as e-services and e-government. Identity management is also central to prevention of discrimination in exercising guaranteed rights.
The identity management infrastructure provides the backbone for a functioning and viable state by securing civil, population and tax registers, as well other systems such as healthcare benefits, voter lists and the issuance of travel and identity documents based on verifiable identities. Such flaws may become visible during elections, where shortcomings in voter lists can affect confidence in the election process. In essence, a secure identity management system can be seen as the foundation, a root level, that is able to then feed into and help numerous other branches of key state services function effectively and accurately (OSCE, 2017, p.13) [27].
1.3   Security dimension of identity management
One of the key elements of a secure environment for cross-border travel is that the travel documents used by visitors meet international standards in terms of security of the document itself and security in that the document reflects the genuine identity of its holder. Similarly, the systems for issuing travel documents need to be linked to identity management systems to streamline decision-making processes, preferably through modernized systems that reflect developments in document security technology. As entries in registers or officially issued identification documents provide access to specific services, criminal networks are constantly looking for possible gaps in identity management systems to obtain genuine documents under fabricated or stolen identities. Documents obtained as result of gaps in identity management have enabled criminals to target business entities and cause significant financial losses through the use of genuine documents issued to non-existent identities (OSCE, 2017, p.14) [27].
Both legal and illegal immigration breeder docs are regularly used to determine an identity if no MRTD or eMRTD is presented. An identity which will be printed on an eRP, Foreigners ppt, Refugees travel doc etc. unless other supportive evidence of identity is provided.
Organized crime has not overlooked this and fraudulently obtained or falsified travel documents are regularly presented to hide the true identity.
Since a significant portion of the world’s population cannot reliably prove their identity, they rely on verbally presented identities and/or supportive breeder documents when registering in another country.
Asylum applicants who...

  • Technical specification
    69 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 18139:2025(Main)
Personal identification - European guide for biometric recognition applications based on ID documents (ERG)
SIST-TS CEN/TS 18139:2025

This document defines requirements and provides guidance on:
•   capturing of facial images to be used for verification or identification purposes in applications based on reference images in identity or similar documents and traveller or visa databases;
•   capturing of fingerprint images to be used for verification or identification purposes in applications based on reference images in identity or similar documents and traveller or visa databases;
•   data quality maintenance for biometric data captured by/for verification or identification applications;
•   data authenticity maintenance for biometric data captured by/for verification or identification ap-plications.
This document addresses the following aspects which are specific for biometric data capturing:
•   biometric data quality and interoperability assurance;
•   data authenticity assurance;
•   morphing and other presentation attacks and biometric data injection attacks;
•   accessibility and usability;
•   recognition algorithms and their evaluation;
•   privacy and data protection;
•   optimal process design.
The following aspects are out of scope:
•   other aspects of IT security;
•   data capturing for ID document enrolment purposes, e.g. passport or ID card enrolment.

  • Technical specification
    30 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 17489-2:2024(Main)
Secure and interoperable European Breeder Documents — Part 2: Data model
SIST-TS CEN/TS 17489-2:2025

This document specifies the abstract data model for breeder document data and the specific encodings of this abstract data model used in the CEN breeder document framework.
The abstract data model is a semantic description of the birth, marriage / partnership, and death certificate data, independently from their specific encoding. This abstract data model is extensible for further standardized and proprietary data of birth, marriage / partnership, and death certificates as well as for other types of breeder documents.
This abstract data model is technology agnostic, i.e. it is applicable for paper-based, server-based, and hardware-based breeder documents as well as further breeder document designs and technologies.
The specific encodings of this abstract data model comprise the encodings to be used for the machine readable technologies specified in part 3 of the framework as well as the encoding of human readable breeder document data. These encodings are used in the birth, marriage / partnership, and death certificate profiles specified in part 4 of the framework.

  • Technical specification
    25 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 18099:2024(Main)
Biometric data injection attack detection
SIST-TS CEN/TS 18099:2025

This document provides an overview on:
-   Definitions on Biometric Data Injection Attack,
-   Biometric Data Injection Attack use case on main biometric system hardware for enrolment and verification,
-   Injection Attack Instruments on systems using one or several biometric modalities.
This document provides guidance on:
-   System for the detection of Injection Attack Instruments (defined in 3.12),
-   Appropriate mitigation risk of Injection Attack Instruments,
-   Creation of test plan for the evaluation of Injection Attack Detection system (defined in 3.9).
If presentation attacks testing is out of scope of this document, note that these two characteristics are in the scope of this document:
-   Presentation Attack Detection systems which can be used as injection attack instrument defence mechanism and/or injection attack method defence mechanism. Yet, no presentation attack testing will be performed by the laboratory to be compliant with this document (out of scope).
-   Bona Fide Presentation testing in order to test the ability of the Target Of Evaluation to correctly classify legitimate users.
The following aspects are out of scope:
-   Presentation Attack testing (as they are covered in ISO/IEC 30107 standards),
-   Biometric attacks which are not classified as Type 2 attacks (see Figure 1),
-   Evaluation of implementation of cryptographic mechanisms like secure elements,
-   Injection Attack Instruments rejected due to quality issues.

  • Technical specification
    37 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 18108:2024(Main)
Personal identification - Usage of biometrics in breeder documents
SIST-TP CEN/TR 18108:2025

This document provides guidance on usage of biometrics in breeder documents, in particular regarding
-   encoding of biometric reference data;
-   data quality maintenance for biometric reference data;
-   data authenticity maintenance for biometric reference data; and
-   privacy preservation of biometric reference data.
This document addresses advantages and disadvantages of biometric modes, in particular regarding
-   verification performance;
-   privacy impact;
-   feasibility of biometric acquisition considering the age of the capture subjects;
-   limits of validity and need for updating biometric reference data.
The following aspects are out of scope:
-   format and structure of breeder documents;
-   general security aspects, which are covered in CEN/TS 17489-1 [1].

  • Technical report
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 18030:2023(Main)
Personal identification - Biometrics - Overview of biometric verification systems implemented across Europe
SIST-TP CEN/TR 18030:2024

This Technical Report provides an overview of the current deployment of biometric systems within Europe. It addresses the challenges that are being faced, in order to detect the current needs for improving the specifications for the implementation and deployment of biometric systems. This Technical Report considers all kind of deployments, from border control to ad-hoc services. As most of the deployed systems are based on the use of fingerprints or face recognition, this Technical Report will focus on these two biometric modalities, from the system integrator and interoperability points of view.
Identity documents, in terms of production, structure, interoperability, etc., are out of the scope of this TR. The TR is focused on the performance at system level.
The current European legislative initiatives around this topic (e.g., Entry/Exit System, framework for interoperability between EU information systems, etc.) need a robust framework study about the availability of standard technologies to improve interoperability in biometric products around the European Union.
By showing these needs, a set of recommendations for future standardization works is provided.
From a methodological perspective, the report gathers information of different entities with this classification:
- Capture/enrolment of biometrics including the quality assurance and the generation of feature or biometric models from the images.
- Best practices and guidelines to use biometrics in Europe.
- Data Quality environment using biometrics in European networks.

  • Technical report
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 17982:2023(Main)
European Digital Identity Wallets standards Gap Analysis
SIST-TP CEN/TR 17982:2024

This document identifies relevant existing standards and standards work in progress around European Digital Identity Wallets. It also identifies missing work items and overlaps in standards and is supposed to work as a roadmap for future standardization projects in the area.

  • Technical report
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 2382-37:2023(Main)
Information technology - Vocabulary - Part 37: Biometrics (ISO/IEC 2382-37:2022)
SIST EN ISO/IEC 2382-37:2024

This document establishes a systematic description of the concepts in the field of biometrics pertaining to recognition of human beings. This document also reconciles variant terms in use in pre-existing International Standards on biometrics against the preferred terms, thereby clarifying the use of terms in this field.
This document does not cover concepts (represented by terms) from information technology, pattern recognition, biology, mathematics, etc. Biometrics uses such fields of knowledge as a basis.
In principle, mode-specific terms are outside of scope of this document.

  • Standard
    42 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 17661:2021(Main)
Personal identification – European enrolment guide for biometric ID documents (EEG)
SIST-TS CEN/TS 17661:2022

This document consolidates information relating to successful and high quality biometric enrolment processes of facial and fingerprint systems, while indicating risk factors and providing appropriate mitigations. This information supports decisions regarding procurement, design, deployment and operation of these biometric systems.
This document provides guidance on:
—   capturing of facial images to be used as reference images in identity and secure documents;
—   capturing of fingerprint images to be used as reference images in identity and secure documents;
—   data quality maintenance for biometric reference data;
—   data authenticity maintenance for biometric reference data.
The document addresses the following aspects which are specific for biometric reference data capturing:
—   biometric data quality and interoperability ensurance;
—   data authenticity ensurance;
—   morphing and other presentation attack detection as well as other unauthorized changes;
—   accessibility and usability;
—   privacy and data protection;
—   optimal enrolment design.
The following aspects are out of scope:
—   IT security;
—   data capturing for verification purposes, e.g. in ABC gates;
—   capturing biometric data for enrolment in other systems different from data enrolment for integration in secure MRTD, like entry/exit systems.
This document consolidates the role of the enrolment process in a biometric system and differentiates the enrolment from the authentication, while mentioning key factors of the enrolment process that are feature independent.
Interests of the existing stakeholders are broken down and provide an insight on different views of the enrolment. In addition, organisational enrolment approaches are covered.
This document is not concerned with IT requirements or the capturing of biometric data for inspection, identification or verification purposes without the required step of creating an identity document using the captured data.

  • Technical specification
    73 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 17631:2021(Main)
Personal identification - Biometric group access control
SIST-TS CEN/TS 17631:2021

This document provides guidance on providing access:
— to areas with physical access control, e.g. entertainment facilities, train stations, shops, libraries, banks, or border control,
— for small groups of persons, e.g. families with small children or seniors, or other accompanied persons in need of support,
— by means of biometric authentication technologies, e.g. facial, fingerprint, or vein recognition,
— in the European regulatory context.
The document addresses the following aspects, which are specific for biometric and group access:
— accessibility and usability,
— user guidance including group guidance and interaction control,
— privacy including data set content,
— presentation attack detection,
— applicable biometric technologies,
— storage of reference data,
— biometric process integration,
— specific needs considering biometrics for groups,
— biometric performance and error rates, and
— group internal linkage.
The following aspects which reflect on generic access control issues are out of scope:
— IT security,
— application specific physical security,
— policy definition,
— processes not related to biometric authentication, and
— specific performance requirements of identification (1:N) and verification (1:1) applications.

  • Technical specification
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day