Biometric authentication for critical infrastructure access control - Requirements and Evaluation

The technical specification
i) Specifies design, performance and attack resistance requirements for biometric systems used as part of an automated access control system protecting access to Critical Infrastructure (defined in Council directive 2008 /114 / EC)
ii) Describes methodologies for evaluation of biometric access control products against these requirements

Biometrische Authentifikation für die Zugangskontrolle zu kritischen Infrastrukturen - Anforderungen und Evaluierung

Authentification biométrique pour le contrôle d'accès aux infrastructures critiques - Exigences et évaluation

Biometrična avtentikacija za nadzor kritične infrastrukture - Zahteve in ovrednotenje

Tehnična specifikacija
i) določa zahteve glede zasnove, zmogljivosti in odpornosti proti napadu za biometrične sisteme, ki se uporabljajo kot del avtomatiziranega sistema za nadzor dostopa, ki varuje dostop do kritične infrastrukture (opredeljeno v direktivi Sveta 114/2008/ES),
ii) opisuje metodologije za ocenjevanje izdelkov z biometričnim nadzorom dostopa v povezavi s temi zahtevami.

General Information

Status
Published
Publication Date
08-Jan-2019
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
03-Jan-2019
Due Date
10-Mar-2019
Completion Date
09-Jan-2019

Buy Standard

Technical specification
SIST-TS CEN/TS 17261:2019
English language
18 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST-TS CEN/TS 17261:2019
01-februar-2019
%LRPHWULþQDDYWHQWLNDFLMD]DQDG]RUNULWLþQHLQIUDVWUXNWXUH=DKWHYHLQ
RYUHGQRWHQMH

Biometric authentication for critical infrastructure access control - Requirements and

Evaluation

Biometrische Authentifikation für die Zugangskontrolle zu kritischen Infrastrukturen -

Anforderungen und Evaluierung

Authentification biométrique pour le contrôle d'accès aux infrastructures critiques -

Exigences et évaluation
Ta slovenski standard je istoveten z: CEN/TS 17261:2018
ICS:
35.240.15 ,GHQWLILNDFLMVNHNDUWLFHýLSQH Identification cards. Chip
NDUWLFH%LRPHWULMD cards. Biometrics
SIST-TS CEN/TS 17261:2019 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST-TS CEN/TS 17261:2019
---------------------- Page: 2 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261
TECHNICAL SPECIFICATION
SPÉCIFICATION TECHNIQUE
December 2018
TECHNISCHE SPEZIFIKATION
ICS 35.240.15
English Version
Biometric authentication for critical infrastructure access
control - Requirements and Evaluation

Authentification biométrique pour le contrôle d'accès Biometrische Authentifikation für die

aux infrastructures critiques - Exigences et évaluation Zugangskontrolle zu kritischen Infrastrukturen -

Anforderungen und Evaluierung

This Technical Specification (CEN/TS) was approved by CEN on 10 September 2018 for provisional application.

The period of validity of this CEN/TS is limited initially to three years. After two years the members of CEN will be requested to

submit their comments, particularly on the question whether the CEN/TS can be converted into a European Standard.

CEN members are required to announce the existence of this CEN/TS in the same way as for an EN and to make the CEN/TS

available promptly at national level in an appropriate form. It is permissible to keep conflicting national standards in force (in

parallel to the CEN/TS) until the final decision about the possible conversion of the CEN/TS into an EN is reached.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,

Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,

Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,

Turkey and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels

© 2018 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TS 17261:2018 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

Introduction .................................................................................................................................................................... 4

1 Scope .................................................................................................................................................................... 5

2 Normative references .................................................................................................................................... 5

3 Terms and definitions ................................................................................................................................... 6

4 Symbols and abbreviations ......................................................................................................................... 8

5 Conformance ..................................................................................................................................................... 8

6 Typical use-case ............................................................................................................................................... 8

7 Requirements and recommendations ..................................................................................................... 9

7.1 General ................................................................................................................................................................ 9

7.2 Design .................................................................................................................................................................. 9

7.2.1 General ................................................................................................................................................................ 9

7.2.2 Protection of access to biometric server, biometric data and functions of the

biometric subsystem ...................................................................................................................................... 9

7.2.3 Operator/Administrator control and authentication ........................................................................ 9

7.2.4 Door unit ......................................................................................................................................................... 10

7.2.5 Biometric enrolment, re-enrolment and deletion ........................................................................... 10

7.2.6 Biometric recognition ................................................................................................................................ 10

7.3 Operation ........................................................................................................................................................ 10

7.3.1 General ............................................................................................................................................................. 10

7.3.2 Identity assurance for enrolment .......................................................................................................... 10

7.3.3 Enrolment process ....................................................................................................................................... 10

7.3.4 Fallback authentication ............................................................................................................................. 11

7.4 Technical performance .............................................................................................................................. 11

7.4.1 General ............................................................................................................................................................. 11

7.4.2 Failure to enrol rate .................................................................................................................................... 11

7.4.3 Enrolment transaction duration............................................................................................................. 11

7.4.4 False accept rate ........................................................................................................................................... 11

7.4.5 False reject rate ............................................................................................................................................ 12

7.4.6 Verification transaction duration .......................................................................................................... 12

7.5 Attack resistance .......................................................................................................................................... 12

7.5.1 General ............................................................................................................................................................. 12

7.5.2 Resistance to tamper .................................................................................................................................. 12

7.5.3 Resistance to presentation attack .......................................................................................................... 13

7.6 Performance and attack resistance requirements .......................................................................... 13

8 Testing and reporting ................................................................................................................................. 14

8.1 System information and documentation ............................................................................................. 14

8.2 Configuration of system for testing ....................................................................................................... 14

8.2.1 Scenario AACS ................................................................................................................................................ 14

8.2.2 Configuration of biometric systems under test ................................................................................. 15

8.3 Outline of test processes ............................................................................................................................ 15

8.3.1 Pretesting ........................................................................................................................................................ 15

8.3.2 Scenario performance evaluation .......................................................................................................... 15

8.3.3 Attack resistance evaluation .................................................................................................................... 17

Bibliography ................................................................................................................................................................. 18

---------------------- Page: 4 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
European foreword

This document (CEN/TS 17261:2018) has been prepared by Technical Committee CEN/TC 224 “Personal

identification and related personal devices with secure element, systems, operations and privacy in a

multi sectorial environment”, the secretariat of which is held by AFNOR.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

According to the CEN-CENELEC Internal Regulations, the national standards organisations of the

following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia,

Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France,

Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands,

Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and

the United Kingdom.
---------------------- Page: 5 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
Introduction

This document is concerned with the performance-based testing of biometric authentication for

automated access control systems (AACS), in particular for physical access control to controlled areas of

Critical Infrastructure as defined by the European Council Directive 2008/114/EC [7].

It is assumed that biometric recognition constitutes a second authentication factor alongside token-based

authentication and that the AACS requires the results of the biometric and token-based authentication of

the same individual before authorizing access. The biometric+token combination emulates a biometric

verification system. The token presentation constitutes the biometric claim that the capture subject is the

bodily source of the biometric reference associated with the token ID. Accordingly, technical performance

of the biometric authentication is assessed in terms of verification metrics, i.e. False Accept Rate, False

Reject Rate, Failure-to-Enrol Rate and throughput rates. Technical performance requirements and

evaluation methods should be identical irrespective of the biometric technology.

Biometric subsystems should also be evaluated in terms of their vulnerability to defeat. This is to be

assessed through measuring a system’s capacity to resist a direct attack on it or detect an intrusion

attempt by a knowledgeable attacker intent on defeating the biometric authentication. Since method of

attack is dependent on the biometric technology, vulnerability to defeat is assessed in a technology-

specific manner.

The results of an evaluation performed using this document relate to the system’s performance in that

the evaluation should not be used as a guarantee of the performance that would be expected on any other

site.
---------------------- Page: 6 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
1 Scope

This document addresses biometric recognition systems that are used as part of an automated access

control system to provide a second and independent authentication factor of the individual using the

AACS to access secured areas of critical infrastructure.
This document:

— specifies requirements for biometric recognition systems to be used as part of an AACS for critical

infrastructure,

— describes a methodology for the evaluation of biometric authentication for AACSs against the

specified requirements.

The requirements and test methods address biometric authentication for AACS that: (i) operate in an

internal environment constituting part of a larger site, access to which is restricted and controlled by a

separate access control system; and (ii) use biometrics as a second authentication factor to a token or

proximity card.

This document does not consider access by the general public, e.g. passengers in an airport, or visitors to

a hospital.

Products that meet the requirements of this document will comprise (i) a biometric sensor(s) external to

the secured area, which reads the biometric characteristics of the user at the point of access; and (ii) a

biometric server system performing biometric enrolment, signal processing, storage of biometric

references and biometric comparison within a secured area.

This document does not address AACS or AACS portals (turnstiles) but is only concerned with the

biometric components which integrate with the AACS. Other standards address requirements and testing

of the non-biometric parts of the AACS.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 2382-37, Information technology — Vocabulary — Part 37: Biometrics

ISO/IEC 30107-3:2017, Information technology — Biometric presentation attack detection — Part 3:

Testing and reporting
---------------------- Page: 7 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 2382-37:2017 and the

following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at https://www.iso.org/obp
3.1
attack potential

measure of the effort to be expended in attacking a target of evaluation (TOE), expressed in terms of an

attacker's expertise, resources and motivation
[Source: ISO/IEC 15408-1:2009]
3.2
critical infrastructure

asset, system or a part thereof that is essential for the maintenance of vital societal functions, health,

safety, security, economic or social well-being of people and the disruption or destruction of which would

have a significant impact as a result of the failure to maintain those functions
3.3
enrolment transaction duration

measurement of the duration of an enrolment transaction, starting when the enroller begins a interaction

with the biometric enrolment system to conduct the enrolment (e.g., authenticating as a valid enroller on

the system) and ending when the enrolee's biometric reference is stored in the system, or when a failure-

to-enrol is declared
3.4
evaluation laboratory
organisation that carries out the evaluation
3.5
false accept rate
FAR
proportion of non-mated verification transactions erroneously confirmed

[SOURCE: ISO/IEC 19795-1:2006, modified to harmonise with the vocabulary of ISO/IEC 2382-37]

3.6
false reject rate
FRR
proportion of mated verification transactions erroneously rejected

[SOURCE: ISO/IEC 19795-1:2006, modified to harmonise with the vocabulary of ISO/IEC 2382-37]

Note 1 to entry: Rejections due to failure-to-acquire errors or to false alarms in spoof detection are included in

the false reject rate.
---------------------- Page: 8 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
3.7
generalized false reject rate
GFRR

generalization of the false reject rate that includes the effect of enrolment failures: the test participants

who the system failed to enrol are considered to have made verification transactions equivalent to those

of enrolled test subjects, and these verification transactions are considered to have failed

3.8
habituated capture subject
biometric subject familiar with using the biometric device

Note 1 to entry: Transaction times and success rates for habituated test subjects will be consistent with those

experienced in their regular use of the system.
3.9
impostor attack presentation match rate
IAPMR

proportion of impostor attack presentations, using the same attack method, in which the target reference

is matched
[SOURCE: ISO/IEC 30107-3:2017 (“PAI species” changed to “attack method”)]
3.10
mated verification transaction

verification transaction in which the accompanying token (i.e., biometric claim) corresponds to the

capture subject

Note 1 to entry: Mated verification transactions have historically been called genuine transactions.

3.11
non-mated verification transaction

verification transaction in which the accompanying token (i.e., biometric claim) does not correspond to

the capture subject

Note 1 to entry: Non-mated verification transactions have historically been called (zero-effort) “impostor”

transactions.
3.12
presentation attack

presentation to the biometric capture subsystem with the goal of interfering with the correct operation

of the biometric system

Note 1 to entry: In the context of this document, the goal of a presentation attack is impersonation of another

enrolled individual. A presentation attack can be implemented through a variety of methods, e.g. artefact, mutilation,

replay, etc.
3.13
verification transaction duration

measurement of the duration of a verification transaction, starting when the subject begins interaction

with the biometric capture device and ending when the biometric system renders a final transaction

decision
---------------------- Page: 9 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
3.14
secured area

area or facility to which access is restricted to authorised roles under the security policy

EXAMPLE Data centres, communication rooms, command and control facilities.

Note 1 to entry: In this document, secured areas do not include areas accessible to the general public, e.g.

passengers in an airport, or visitors to a hospital.
3.15
supplier

organisation or person that provides the product under evaluation and provides support during the

evaluation term
4 Symbols and abbreviations
For the purposes of this document, the following abbreviations apply.
AACS Automated Access Control System
FAR False Accept Rate
FRR False Reject Rate
FTER Failure to Enrol Rate
GFRR Generalized False Reject Rate
IAPMR Impostor Attack Presentation Match Rate
IAPMR_ Maximum value of IAPMR over all tested attack methods at attack potential
BASIC
BASIC or below
5 Conformance

A biometric subsystem integrated into an AACS conforms to the specifications of this document if:

a) it meets all requirements contained in 7.2,

b) the performance and attack resistance metrics specified in Table 1 have been tested and reported in

accordance with the requirements of 7.4, 7.5 and Clause 8 and

c) the performance and attack resistance meets the baseline performance levels specified in 7.6,

Table 1.
6 Typical use-case

This document addresses Automated Access Control Systems operating in an internal environment

constituting part of a larger site, where biometric authentication is used as a second authentication factor

working independently of authentication by token or proximity card.

Authorized individuals are issued with tokens for use by the AACS and are also enrolled into the biometric

system.

The biometric enrolment records the biometric characteristics of an individual and generates a biometric

reference against which future comparisons can be made. This reference is stored together with the

system identifier for that individual. The organization's Security Policy will specify the credentials that

---------------------- Page: 10 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)

an individual needs to provide to show eligibility for biometric enrolment. The Security Policy may also

allow for re-enrolment to update an individual's biometric reference when required.

Access control tokens/cards together with biometric recognition will be required to allow entrance to

(or exit from) the secured area(s).
7 Requirements and recommendations
7.1 General

Requirements and recommendations for the biometric authentication subsystem are divided into

requirements and recommendations regarding:
— the design,
— the operation,
— the performance and
— the attack resistance.
7.2 Design
7.2.1 General

The biometric system shall provide functionality to support the design requirements given in 7.2.2 to

7.2.6.

7.2.2 Protection of access to biometric server, biometric data and functions of the biometric

subsystem

The biometric server shall be located within a secured area. To avoid the need to evaluate against the

possibility of cyberattack, the server shall have no data connections outside the secured area other than

to biometric door units, (e.g. Wi-Fi connection between components or cloud storage of biometric

references and transactions logs are prohibited).

To maintain independence between token and biometric authentication, the biometric reference shall

not be stored on the token.
7.2.3 Operator/Administrator control and authentication

Operator/administration functions shall take place on the biometric server system and shall not be

available on the biometric door units external to the secured area.

The system shall be configured to verify the identity and the authority of staff operating the system (e.g.

system administrator, enroller) immediately prior to:
— biometric enrolment or re-enrolment,
— the deletion of biometric references,
— backup and restoration of the biometric database,

— configuration of system parameters (e.g. comparison score thresholds, presentation attack detection

settings, etc.) for the biometric component and
— the inspection of results logged by the system.
---------------------- Page: 11 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)

Operator authentication may be handled by the operating system of the computer on which the biometric

server is installed, but a standalone system will need to provide operator authentication itself.

The method for operator authentication shall be independent of the biometric authentication allowing

physical access to the secured area.
7.2.4 Door unit

Any part of the biometric door unit that is external to the secured area shall not house storage of

biometric references, relay switches unlocking the access control system doors, or output connections

that signal the recognized identity to the access control system.

The biometric door unit shall provide a tamper switch/tamper alarm. Opening the device or removing it

from its mounting shall either signal a tamper alarm, or shall leave visible evidence of the tamper attack.

7.2.5 Biometric enrolment, re-enrolment and deletion

The enrolment process shall provide a capability for a duplicate check at enrolment (i.e. a check that the

individual being enrolled does not already match a previously enrolled biometric reference).

For biometric modes such as fingerprint or iris, where the subject is able to present multiple instances

(e.g. left or right iris, left or right index finger), the system shall allow for two (or more) instances to be

enrolled and an individual shall enrol all possible instances.

When a user's access is no longer authorized, deletion of the user shall remove all copies of their

biometric references from the system.
7.2.6 Biometric recognition

The biometric door unit may indicate success or failure of recognition to the biometric capture subject,

but shall not display: biometric comparison scores, results of presentation attack detection, an image of

the acquired biometric characteristics, or the identifier of the recognized individual.

The biometric system shall communicate to the underlying AACS the subject ID of each successful

biometric recognition. The underlying AACS will permit access only when this biometric ID from the

biometric sensor and token ID from the card reader correspond to the same individual.

In addition, the biometric system shall transmit to the underlying AACS security-relevant information

such as tamper alerts, presentation attack alerts and failed recognition attempts to allow the AACS to take

appropriate defensive measures (e.g. temporarily blocking a claimed ID in the case of multiple failures,

possibly indicating a suspected exhaustion attack).
7.3 Operation
7.3.1 General
The operator of an AACS shall meet the requirements given in 7.3.2 to 7.3.4.
7.3.2 Identity assurance for enrolment

Before enrolling a user in a critical infrastructure access control system, a high level of identity assurance

shall be established by inspecting the user's ID card or similar measures.
7.3.3 Enrolment process

Biometric enrolment should follow the guidance for biometric enrolment in ISO/IEC TR 29196:2015. If a

subject’s initial enrolment fails, or is deemed by the system to be of poor quality, or if the system is unable

to reliably match the subject against their enrolled biometric reference immediately following enrolment,

then at least one further attempt at enrolment shall be performed with the aim of acquiring satisfactory

enrolment data.
---------------------- Page: 12 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
7.3.4 Fallback authentication

As false reject errors can occur in biometric recognition and some authorized individuals could be unable

to use biometric recognition for access control, the access control system shall offer yet another

authentication method as a fallback. The fallback authentication process shall also meet the security

requirements of the system. The way in which the security of the fallback authentication method is

evaluated is out of scope of this document.
7.4 Technical performance
7.4.1 General
Performance metrics to be measured and reported are:
— FTER,
— average duration of enrolment transactions,
— FAR,
— GFRR,
— average duration of successful mated verification transaction and
— IAPMR_BASIC.
7.4.2 Failure to enrol rate

The proportion of test subjects for whom an enrolment could not be completed on the system shall be

measured and reported.

The failure to enrol rate shall be measured and reported on the basis that multiple attempts at enrolment

shall count as a single enrolment transaction. (Any need for multiple enrolment attempts is accounted for

in increased enrolment transaction durations.) For the purposes of evaluation, a subject is considered to

be properly enrolled if they have at least one biometric reference they can reliably use in the recognition

of transactions made immediately following the enrolment.

The measured failure-to-enrol rate (per-subject FTER) shall meet the requirements or recommendations

specified by the evaluation scheme. See, e.g., Table 1.
7.4.3 Enrolment transaction duration

The average enrolment transaction duration shall be measured and reported, but no performance

requirement is set for enrolment duration. Reporting shall clarify whether durations include or exclude

time required for test transactions immediately following enrolment.
7.4.4 False accept rate

The supplier’s preferred setting for the number of allowed retries should be used to determine both the

FAR and GFRR performance.

The FAR for one-to-one non-mated verification transactions allowing the set number of attempts shall be

calculated. (See 8.3.2 for method of calculation.)

The measured FAR shall meet the requirements specified by the evaluation scheme. See, e.g. Table 1.

---------------------- Page: 13 ----------------------
SIST-TS CEN/TS 17261:2019
CEN/TS 17261:2018 (E)
7.4.5 False reject rate

The supplier’s preferred setting for the number of allowed retries should be used to determine both

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.