ISO/IEC 24745:2011

INTERNATIONAL ISO/IEC
STANDARD 24745
First edition
2011-06-15


Information technology — Security
techniques — Biometric information
protection
Technologies de l'information — Techniques de sécurité — Protection
des informations biométriques




Reference number
ISO/IEC 24745:2011(E)
©
ISO/IEC 2011

---------------------- Page: 1 ----------------------
ISO/IEC 24745:2011(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2011 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 24745:2011(E)
Contents Page
Foreword .v
Introduction.vi
1 Scope.1
2 Terms and definitions .1
3 Abbreviated terms .5
4 Biometric systems.6
4.1 Introduction to biometric systems .6
4.2 Biometric system operations .8
4.3 Biometric references and identity references .10
4.4 Biometric systems and identity management systems .10
4.5 Personally identifiable information and universal unique identifiers.11
4.6 Societal considerations .11
5 Security aspects of a biometric system.12
5.1 Security requirements for biometric systems to protect biometric information.12
5.2 Security threats and countermeasures in biometric systems.13
5.3 Security of data records containing biometric information.16
6 Biometric information privacy management .20
6.1 Biometric information privacy threats .20
6.2 Biometric information privacy requirements and guidelines .20
6.3 Regulatory and policy requirements .21
6.4 Biometric information lifecycle privacy management.21
6.5 Responsibilities of a biometric system owner .23
7 Biometric system application models and security .24
7.1 Biometric system application models.24
7.2 Security in each biometric application model.25
Annex A (informative) Secure binding and use of separated DB and DB .37
IR BR
A.1 General .37
A.2 Secure Binding between Separated DB and DB .37
IR BR
A.3 BR claim for verification .38
A.4 IR claim for identification.39
Annex B (informative)  Cryptographic algorithms for security of biometric systems.40
B.1 Cryptographic algorithms providing confidentiality .40
B.2 Cryptographic algorithms providing integrity.40
B.3 Cryptographic algorithms providing confidentiality and integrity.40
Annex C (informative) Framework for renewable biometric references .41
C.1 Renewable biometric references .41
C.2 Creation .41
C.3 Comparison.42
C.4 Expiration .42
C.5 Revocation .42
C.6 Architecture overview.43
Annex D (informative) Technology examples for renewable biometric references.44
D.1 Overview.44
© ISO/IEC 2011 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 24745:2011(E)
Annex E (informative) Biometric watermarking .46
E.1 Biometric watermarking.46
E.2 Insertion and extraction of a biometric watermark .46
E.3 Application examples.47
Bibliography .48


iv © ISO/IEC 2011 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 24745:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 24745 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.

© ISO/IEC 2011 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC 24745:2011(E)
Introduction
As the Internet becomes a more pervasive part of daily life, various services are being provided via the
Internet, such as Internet banking, remote healthcare, etc. In order to provide these services in a secure
manner, the need for authentication mechanisms between subjects and the service being provided becomes
even more critical. Some of the authentication mechanisms already developed include token based schemes,
personal identification and transaction numbers (PIN/TAN), digital signature schemes based on public key
cryptosystems, and authentication schemes using biometric techniques.
Biometrics – the automated recognition of individuals based on their behavioural and physiological
characteristics – has come of age, and includes recognition technologies based on fingerprint image, voice
patterns, iris image, facial image, and the like. The cost of biometric techniques has been decreasing while
their reliability has been increasing, and both are now acceptable and viable for use as an authentication
mechanism.
Biometric authentication introduces a potential discrepancy between privacy and authentication assurance.
On the one hand, biometric characteristics are ideally an unchanging property associated with and distinct to
an individual. This binding of the credential to the person provides strong assurance of authentication. On the
other hand, this strong binding also underlies the privacy concerns surrounding the use of biometrics, such as
unlawful processing of biometric data, and poses challenges to the security of biometric systems to prevent
the compromise of biometric references. The usual solution to the compromise of an authentication
credential – to change the password or issue a new token – is not generally available for biometric
authentication because biometric characteristics, being either intrinsic physiological properties or behavioural
traits of individuals, are difficult or impossible to change. At most another finger or eye could be enrolled, but
the choices are usually limited. Therefore, appropriate countermeasures to safeguard the security of a
biometric system and the privacy of data subjects are essential.
Biometric systems usually bind a biometric reference with other personally identifiable information (PII) for
authenticating individuals. In this case, the binding is needed to assure the security of the data record
containing biometric information. The increasing linkage of biometric references with other PII and the sharing
of biometric information across legal jurisdictions make it extremely difficult for organizations to assure the
protection of biometric information and to achieve compliance with various privacy regulations.

vi © ISO/IEC 2011 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO/IEC 24745:2011(E)

Information technology — Security techniques — Biometric
information protection
1 Scope
This International Standard provides guidance for the protection of biometric information under various
requirements for confidentiality, integrity and renewability/revocability during storage and transfer. Additionally,
this International Standard provides requirements and guidelines for the secure and privacy-compliant
management and processing of biometric information.
This International Standard specifies the following:
⎯ analysis of the threats to and countermeasures inherent in a biometric and biometric system application
models;
⎯ security requirements for securely binding between a biometric reference and an identity reference;
⎯ biometric system application models with different scenarios for the storage and comparison of biometric
references; and
⎯ guidance on the protection of an individual's privacy during the processing of biometric information.
This International Standard does not include general management issues related to physical security,
environmental security and key management for cryptographic techniques.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
authentication
process of establishing an understood level of confidence that a specific entity or claimed identity is genuine
NOTE 1 Authentication includes the process of ascertaining an understood level of confidence of the truth of a claimed
identity before the entity can be registered and recognized in a domain.
NOTE 2 Although this definition is generic, its use within this International Standard is limited to the biometric
authentication of human subjects.
[ISO 19092:2008]
2.2
auxiliary data
AD
subject-dependent data that is part of a renewable biometric reference and may be required to reconstruct
pseudonymous identifiers during verification, or for verification in general
NOTE 1 If auxiliary data is part of a renewable biometric reference, it is not necessarily stored in the same place as the
corresponding pseudonymous identifiers.
© ISO/IEC 2011 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC 24745:2011(E)
NOTE 2 Auxiliary data may contain data elements for diversification (i.e. diversification data).
NOTE 3 Auxiliary data is not the element for comparison during biometric reference verification.
NOTE 4 Auxiliary data are generated by the biometric system during enrolment.
EXAMPLE Secret number encrypted by a key derived from a biometric sample using a helper data approach, fuzzy
commitment scheme, or fuzzy vault. See Annex D, Table D.1 for concrete examples of PI and AD.
2.3
biometric characteristic
physiological or behavioural characteristic of an individual that can be detected and from which distinguishing,
repeatable biometric features can be extracted for the purpose of automated recognition of individuals
[ISO/IEC JTC 1/SC 37 SD2 (v.11)]
2.4
biometric data
biometric sample, biometric feature, biometric model, biometric property, other description data for the original
biometric characteristics, or aggregation of above data
[ISO/IEC JTC 1/SC 37 SD2 (v.11)]
2.5
biometric data subject
subject
individual whose biometric reference is within the biometric system
2.6
biometric feature
numbers or labels extracted from biometric samples and used for comparison
[ISO/IEC JTC 1/SC 37 SD2 (v.11)]
2.7
biometric information privacy
right to control the collection, transfer, use, storage, archiving, disposal and renewal of one's own biometric
information throughout its lifecycle
2.8
biometric model
stored function (dependent on the biometric data subject) generated from a biometric feature or features
NOTE Comparison applies the stored function to the biometric features of a probe biometric sample to give a
comparison score.
EXAMPLE Examples of stored functions include Hidden Markov Models, Gaussian Mixture Models or Artificial
Neural Networks.
[ISO/IEC JTC 1/SC 37 SD2 (v.11)]
2.9
biometric property
descriptive attributes of the biometric data subject estimated or derived from the biometric sample by
automated means
EXAMPLE Fingerprints can be classified by the biometric properties of ridge-flow (i.e. arch, whorl, and loop types);
face images can be used for estimating age or gender.
[ISO/IEC JTC 1/SC 37 SD2 (v.11)]
2 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC 24745:2011(E)
2.10
biometric reference
BR
one or more stored biometric samples, biometric templates or biometric models attributed to a biometric data
subject and used for comparison
NOTE A biometric reference that can be renewed is referred to as a renewable biometric reference.
EXAMPLE Face image on a passport; fingerprint minutiae template on a National ID card; Gaussian Mixture Model,
for speaker recognition, in a database.
[ISO/IEC JTC 1/SC 37 SD2 (v.11)]
2.11
biometric sample
analog or digital representation of biometric characteristics obtained from a biometric capture device or
biometric capture subsystem prior to biometric feature extraction
[ISO/IEC JTC 1/SC 37 SD2 (v.11)]
2.12
biometric system
system for the purpose of the automated recognition of individuals based on their behavioural and
physiological characteristics
2.13
biometric template
set of stored biometric features comparable directly to probe biometric features
2.14
claim
assertion of identity
2.15
claimant
individual making a claim of identity
NOTE Claims can be verified in a number of ways, some of which may be based on biometrics.
2.16
common identifier
identifier for correlating identity references and biometric references in physically or logically separated
databases
2.17
diversification
deliberate creation of multiple, independent, transformed biometric references from one or more biometric
samples obtained from one data subject for the purposes of security and privacy enhancement
2.18
identification
〈biometrics〉 process of performing a biometric search against an enrolment database to find and return the
identity reference attributable to a single individual
2.19
identifier
one or more attributes that uniquely characterize an entity in a specific domain
EXAMPLES The name of a club with a club-membership number, a health insurance card number together with the
name of the insurance company, an IP address, and a universal unique identifier.
© ISO/IEC 2011 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC 24745:2011(E)
2.20
identity
set of properties or characteristics of an entity that can be used to describe its state, appearance or other
qualities
2.21
identity management system
IdMS
system controlling entity identity information throughout the information lifecycle in one domain
2.22
identity reference
IR
non-biometric attribute that is an identifier with a value that remains the same for the duration of the existence
of the entity in a domain
2.23
irreversibility
property of a transform that creates a biometric reference from a biometric sample(s) or features such that
knowledge of the transformed biometric reference cannot be used to determine any information about the
generating biometric sample(s) or features
2.24
personally identifiable information
PII
any information
⎯ that identifies or can be used to identify, contact, or locate the person to whom such information pertains,
⎯ from which identification or contact information of an individual person can be derived, or
⎯ that is or might be directly or indirectly linked to a natural person
1)
[ISO/IEC 29100:— ]
2.25
pseudonymous identifier
PI
part of a renewable biometric reference that represents an individual or data subject within a certain domain
by means of a protected identity that can be verified by means of a captured biometric sample and the
auxiliary data (if any)
NOTE 1 A pseudonymous identifier does not contain any information that allows retrieval of the original biometric
sample, the original biometric features, or the true identity of its owner.
NOTE 2 The pseudonymous identifier has no meaning outside the service domain.
NOTE 3 Encrypted biometric data with a cipher that allows retrieval of the plain-text data is not a pseudonymous
identifier.
NOTE 4 A pseudonymous identifier is the element for comparison during biometric reference verification.
NOTE 5 See Annex D, Table D.1 for examples of PI and AD.

1) To be published.
4 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC 24745:2011(E)
2.26
pseudonymous identifier encoder
PIE
system, process or algorithm that generates a renewable biometric reference consisting of a pseudonymous
identifier (PI) and possibly auxiliary data (AD) based on a biometric sample or biometric template
2.27
renewability
property of a transform or process to create multiple, independent transformed biometric references derived
from one or more biometric samples obtained from the same data subject and which can be used to recognize
the individual while not revealing information about the original reference
2.28
renewable biometric reference
revocable or renewable identifier that represents an individual or data subject within a certain domain by
means of a protected binary identity (re)constructed from the captured biometric sample
NOTE A renewable biometric reference consists of a pseudonymous identifier and additional optional data elements
required for biometric verification or identification such as auxiliary data.
2.29
revocability
ability to prevent future successful verification of a specific biometric reference and the corresponding identity
reference
NOTE Rejection of an entity may occur on the grounds of its appearance on a revocation list.
2.30
secure channel
communication channel providing the confidentiality and authenticity of exchanged messages
2.31
token
physical device storing biometric reference and in some cases performing on-board biometric comparison
EXAMPLES Smart card, USB memory stick or RFID chip in e-passport.
2.32
unlinkability
property of two or more biometric references that they cannot be linked to each other or to the subject(s) from
which they were derived
2.33
verification
〈biometrics〉 process of confirming a claim that an individual who is the subject of a biometric capture process
is the source of a claimed identity reference
3 Abbreviated terms
AD Auxiliary Data
AFIS Automated Fingerprint Identification Systems
BR Biometric Reference
BIR Biometric Information Record
CI Common Identifier
© ISO/IEC 2011 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC 24745:2011(E)
OCC On-Card Comparison
DB Database containing Biometric Reference
BR
DB Database containing Identity Reference
IR
IdMS Identity Management System
IR Identity Reference
MAC Message Authentication Code
PDA Personal Digital Assistant
PET Privacy Enhancing Technology
PI Pseudonymous Identifier
PIC Pseudonymous Identifier Comparator
PIE Pseudonymous Identifier Encoder
PII Personally Identifiable Information
PIR Pseudonymous Identifier Recoder
RBR Renewable Biometric Reference
RFID Radio Frequency Identification
TTP Trusted Third Party
USB Universal Serial Bus
UUID Universal Unique Identifier
An arrow represents either a simple information flow of data x or initiation of an interactive protocol
x
whose exchanged data may depend on the whole or a part of x.
NOTE 1 x may be encrypted when a secure messaging system such as ISO/IEC 7816-4 is used.
NOTE 2 The interactive protocol may not transfer any information on x when, for example, a zero-knowledge technique is
used.
4 Biometric systems
4.1 Introduction to biometric systems
Biometric systems perform the automated recognition of individuals based on one or more physiological
(physical properties of the body such as fingerprints) and/or behavioural (things an individual does, such as
walking) characteristics.
Physiological characteristics include but are not limited to:
⎯ fingerprint,
⎯ face,
⎯ iris,
⎯ hand geometry,
⎯ hand/finger vein,
⎯ retina,
6 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 12 ----------------------
ISO/IEC 24745:2011(E)
⎯ DNA, and
⎯ palm print,
and behavioural characteristics include but are not limited to:
⎯ signature,
⎯ gait, and
⎯ voice.
The following are desirable properties of biometric characteristics that lead to good subject discrimination and
reliable recognition performance [4]:
⎯ universality: Every individual should have the characteristic;
⎯ uniqueness: Every individual should have a distinguishable characteristic;
⎯ permanence: The characteristics should not show variance with time, e.g. variance over time;
⎯ collectability: The characteristics should be easily collected from the subjects; and
⎯ repeatability: The characteristics should be sufficiently distinct and repeatable to achieve successful
recognition of the subject.
From an application point of view, the following additional properties should also be taken into account:
⎯ performance, which mainly refers to the success rate in recognizing individuals;
⎯ acceptability, which represents the level of willingness by the subject to use the biometric system; and
⎯ spoof resistance, which indicates how difficult it is to use a replica of the biometric characteristic to
circumvent the biometric system.
For verifying and/or identifying an individual a biometric system processes one or more probe samples for
comparison against stored biometric reference(s). The biometric reference could be a biometric sample (e.g.,
an image representing the biometric characteristic) or a set of biometric features (i.e., a template that is
derived from the image) or it could be a biometric model composed from the features.
Specifically, physiological biometric characteristics are very difficult to alter, so their compromise can have
permanent consequences for the individual in applications in which immutability of the characteristic is
assumed.
© ISO/IEC 2011 – All rights reserved 7

---------------------- Page: 13 ----------------------
ISO/IEC 24745:2011(E)
4.2 Biometric system operations
Data Storage
Subsystem
Individual
Identity Reference
Identity Claim
DB
IR
Identity Registration
IR Claim
IR & BR
Association BR Claim
Comparison
Subsystem
Comparison
DB
BR
Decision
Biometric
Comparison
Subsystem
Reference
Score(s)
Signal
Data Capture
Processing Biometric
Subsystem
Features
Biometric
Subsystem
Reference
Match? Candidate?
Presentation
Reference
Creation
Threshold
Biometric
Characteristics
Biometric Match/
(Candidate
Features Non-
match List)
Quality Control
Sensor
Feature Extraction
Segmentation
Verified? Identified?
Decision
Policy
Verification Identification
Captured
Outcome Outcome
Biometric
Enrolment
Sample
Verification
Identification

Figure 1 — Conceptual structure of a biometric system
The overall operation of a biometric system is depicted in Figure 1, which is an expanded version of the
original one given in ISO/IEC SC37 SD11 [18], to highlight the processing of the identity reference.
The biometric system usually consists of five subsystems.
⎯ A biometric data capture subsystem, which contains biometric capture devices or sensors for collecting
signals from a biometric characteristic and converting them into a biometric sample such as a fingerprint
image, facial image or voice recording.
⎯ A signal processing subsystem, which extracts biometric features from a biometric sample with the intent
of outputting numbers or labels which can be compared with those extracted from other biometric samples.
Here, the biometric feature extracted in the enrolment process is stored in the data storage subsystem as
a biometric reference for the identification and verification process.
⎯ A data storage subsystem, which serves primarily as an enrolment database where the linking of the
enrolled biometric references to the identity reference occurs. The data may contain biometric data and
also non-biometric data such as the identity reference related to the subject. In practice, DB and DB
IR BR
are often logically or physically separated for reasons of security and privacy concerns. A more detailed
description of binding DB with DB is given in Annex A.
IR BR
⎯ A comparison subsystem, which determines the similarity between captured biometric samples (or derived
features) and stored biometric references. In the case of the one-to-one comparison used in the
verification process, a captured biometric sample is compared with a stored biometric reference from a
biometric data subject to produce a comparison score. However, in the one-to-many comparison used in
the identification process, an extracted feature of a biometric data subject is compared against a set of
biometric references of more than one biometric data subject to return a set of comparison scores.
8 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 14 ----------------------
ISO/IEC 24745:2011(
...