Start presentation Prof John Larmouth j larmouth salford

Start presentation

Prof. John Larmouth j. larmouth@salford. ac. uk Biometrics Standardization or How to bore everybody on the first slide! A typical biometric standardizer - asleep!

You’ve heard of biometrics? Great! n n n No? Go away and attend a tutorial! Yes – you can remain! How much do you know? (Not wanting to be rude!) You know all about fingerprint minutiae, iris patterns, hand finger geometry, of course. You know that the digital representation of these for biometric matching is called a BDB (Biometric Data Block). And that BDB formats are standardized.

Standardisation n n n All about multi-vendor interworking. Base level for matching: BDB format standardisation. (Layer 1) Meta-data: CBEFF data elements and BIR formats. (Layer 2) System integration: Bio. API (Layer 3) Interworking between systems: BIP (Layer 4) Plus societal and privacy issues

The layers of biometric standardization (1) n n n The Biometric Data Block (BDB) layer Defines formats for the digital representation of measurements of various physical characteristics Sometimes just images, but often with feature extraction

Current BDB formats – a busy slide! n n n n n Finger Minutiae (FDIS) Finger Pattern Spectral Data (FCD) Finger Image Data (FDIS) Face Image Data (FDIS) Iris Image Data (FDIS) Signature/Sign Behavioural Data (CD) Finger pattern Skeletal Data (CD) Vascular Image Data (WD) Hand Geometry Silhouette Data (WD) Signature/Sign processed dynamic data (WD)

Critical activities at the BDB layer n n Capture Processing (feature extraction) (Storage in a BIR – see later) Matching (with an identified BIR or identification within a population)

Quality aspects n n n Ageing FMR and FNMR Interoperability testing Certification centres (US dominance? ) Matching algorithms (not standardised)

And you know about meta-data and BIRs? n n We are doing well! Meta-data (examples) – identification of the product that captured a BDB – the time it was captured – identification of its format, encrypted or not? – expiry date, security block format (none so far defined!). n Take a BDB, add meta-data, stir well, cook at high temperature, until BIRnt (ready for storage/archiving)

The layers of biometric standardization (2) n n n The Biometric Information Record (BIR) layer Common Biometric Exchange Formats Framework (CBEFF) – Defines elements of metadata Registration (Biometric Organizations, BDB formats, Patron formats, Security Block Formats, biometric products) Authority Standardised Patron Formats (CD) Mainly binary, one XML The BIR is the essential encapsulating unit for storage and transfer (within or between machines) of BDBs

Getting enrolled! n n Enrolment is the capturing of biometric data into a BIR (that contains a BDB), and the archiving or storage of that BIR. Big Brother has measured you! If you are in a benign regime, the BIR will be put on a smart card, and the slate wiped clean. Believe that? Privacy issues. Lose the card? A database will probably hold your BIR!

What next? n n A few hundred years later: you present yourself for measurement again. You claim to match a BIR in a database (give a user id), or one on a card you carry. If you identify the BIR, an identification match can be performed. If you are being scanned by a CCTV camera, an identification search can be performed on the population that has been enrolled.

The layers of biometric standardization (3) n n n The Bio. API layer Defines an architecture for systems integration in a single computer system Applications, Bio. API Framework, Biometric Service Providers (BSPs), Biometric Function Providers (BFPs) Passes BIRs around the system Framework interfaces One of the Bio. API Editors! (From a recent mailing) (C API) (FDIS)

In the beginning there was the Framework, and lo it was good! Bio. API Framework n n n The heart of any Bio. API system. Glues everything together. Everything else from different vendors.

And applications were created to use the Framework …. . (the brains) Biometric Application API Bio. API Framework n n With defined (standardised) interfaces, specified as C calling sequences. Enabling applications to call on biometric services using the framework.

And in the depths service providers appeared (the foot-soldiers), and it was even better! Biometric Application API Bio. API Framework SPI BSP n SPI BSP With standardised service provider interfaces called by the Framework.

The service providers handled one or more devices (fingers and toes) - multi-vendor biometric systems existed!

API and SPI interfaces n Broadly provide (remember BDBs and BIRs? ) for: – Capture of a BDB into a BIR. – Movement of BIRs between BSPs and applications. – BSPs for capture, processing, matching, and archiving. – BFP interfaces (see next slide) for specific BFP functionality, being standardised.

And man said, the interface standards are good, give us more, and so the BFP was begat n n BFPs provided by vendors distinct from BSPs – a new market – minimises work of hardware providers This is too technical for me – move on very fast!

Closing remarks on Bio. API: Conformance Testing n n n A multi-vendor architecture and multi-vendor implementations are fine, but will they really interwork? Standards for conformance testing. Conformance testing software. Certification centres. All key parts of Bio. API.

The layers of biometric standardisation (4) n n The Biometric Interworking Protocol (BIP) layer Work in progress Provides interworking between systems containing capture devices or databases (for example) Based on communicating Bio. API Frameworks The BIP standards group readies itself for work.

Use of biometrics in authentication n n n n Problems of privacy and acceptability Problems of aging Problems of the one-eyed man or a multiple paraplegic Probabilistic only (FMR, FNMR) Still interworking problems at present Problems of secure and trusted software for crossnetwork authentication A captured BIR does not have to be secret, but it does have to be authentically time-stamped Digital certificates containing BIRs link human to other information

We have a few minutes! Any questions?

Prof. John Larmouth j. larmouth@salford. ac. uk The European and UK scenes or HMG Passport Service Biometrics Enrolment Trial A presentation to the Jerusalem Homeland Security Conference

The European scene This is a DIY job!!! n No time for anything more as the UK Passport Office trial results are now released! n Go to URL http: //porvoo 7. fjarmalaraduneyti. is/ n and n x http: //www. electronic-identity. org/porvoo. shtml n x = 1, 2, etc provides lots of Country updates on ID card and biometric deployment in Europe

Whoops! Wrong presentation restart!

The Porvoo group (1) (See Notes) n n n A Finnish initiative Named after the town where the group first met Government representatives discuss the status and development of identification systems (increasingly using biometrics) in the member countries

The Porvoo group (2) n n n n Meets every six months Hosting rotates Host country provides an in depth presentation of the situation in the host country Other countries provide country updates Participants include Austria, Belgium, Estonia, Finland, France, Germany, Greece, Iceland, Ireland, Israel, Latvia, Norway, Spain, Slovenia, Sweden, The Netherlands, UK Presentations available online (see previous URL) Provides a good overview of the European scene

Summary of the European scene n n Most current use of biometrics minimal Most countries have plans to implement ICAO recommendations for passports Some countries already have ID cards Some have plans for biometric ID cards, not yet well advanced.

The UK scene n n Biometrics on new or renewed passports and on new or replacement driving licences from September(? ) 2005 on. Independent of ID card bill currently being discussed in parliament, which may or may not pass! (Much heat, ill-informed discussion. ) Single central database to support all uses of biometric identification, single enrolment centres (7 – 2006 – rising to a planned 70) 98% of UK adult citizens hold a passport, renewed every ten years.

UK Passport Service Biometrics Enrolment Trial n n n Not a trial of the technologies Aims were to determine possible problems with enrolment and verification, and acceptability of the process Jointly commissioned and funded by UK Passport Service, Home Office Identity Cards Programme, and Driver and Vehicle Licensing Agency, and conducted by Atos Origin (a software and consultancy firm).

Dates n n n Planned to start Feb 2004 (delays) Started April 2004, planned for 6 months – extended to 8 months Original target of 1000 disabled participants reduced to 750 Ended Dec 2004 Results due to be published March 2005, withheld due to imminent General Election Released last Wed (May 25)

For those of a DIY disposition The Management Summary (29 pages) and the main Report (300 pages) can both be obtained from: http: //www. ukps. gov. uk/publications. asp (the last two entries on the Web page) n

The participants n n n 10, 016 participants (all 18 or over) (UK population is about 60 million) MORI calculations put advertised results as significant at the 95% level Lies, Damned Lies, Statistics, and Biometric results! Three categories of participant – Quota (2, 000), Opportunistic (7, 266), Disabled (750) Results analysed in the three groups (and together)

The process

Quota participants n n Selected by MORI interviewers in shopping centres near to enrolment centres and “escorted” to the enrolment centre! Aimed to meet demographic percentages related to male/female; working (f/pt), unemployed, student, retired; White, Asian, Black, Chinese/East Asian, Other; religion, urban or rural dweller. Quite a hard job for MORI to find volunteers to fit these percentages of the UK population. Quota participants could include disabled

Opportunistic participants Drag `em in off the street! n Literally true!

Disabled participants n n Obtained from UK registers of disabled people Included – Hearing impairment (including totally deaf) – Visual impairment (including totally blind) – Learning disability – Physical impairment (wheel-chair bound, or missing limbs, etc)

The process n n n Registration (public area) Enrolment (special private booth) – try for face, ten fingers/thumbs, iris. Check against matches in database. Check a second sample verifies. Produce smart card. Verification (public area). Choose biometric. Multiple attempts allowed. Questionnaires or interview on the experience of the process (after enrolment and after verification). Analysis of results – oodles of data!

Some pictures!!! (The booth)

Some pictures!!! (The mobile centre -1)

Some pictures!!! (The mobile centre – 2)

Enrolment process n n n Take digital photograph Attempt to produce face geometry template, checking for false matches and verify it Attempt to produce finger print template, ditto (record missing fingers, not a failure to enrol) Attempt to produce iris image, ditto Produce card with photo and biometric templates (all uploaded to central database) Questionnaire

Verification process n n Insert card into reader Participant chooses biometric to use (can be single finger) Verify (multiple attempts allowed) Questionnaire

Equipment etc (not relevant!!!) n n Panasonic BM-ET 300 camera (it talks!) for enrolment AND verification Identix Face. It Software for face recognition, and Iridian Private. ID software for Iris templates Touchprint 3100 fingerprint scanner for enrolment (does four fingers at a time) DFR-2080 single fingerprint reader for verification

Results – What you have all been waiting for, and no time left!!! (1) n n n Enrolment times were 8 to 10 minutes, but registration and questionnaire filling added to that Disabled registration was at the top end of that range Verification times (using a single biometric chosen by the participant) were about one minute

Results (2) n n (only? ) 90% of all non-disabled people were successfully enrolled on all three biometrics All of the non-disabled were successfully enrolled on at least one biometric 1 in 200 of the disabled could not be enrolled on any biometric UK Passport Office is considering how to handle that – perhaps other forms of identification; it is important to avoid exclusions in a live system.

Fingerprint results n n There was a problem with people with wide fingers – the verification device did not capture enough of the finger There were 14 false matches (against a database primed with one million fingerprints) during enrolment There were problems with arthritic fingers that could not be straightened Temporary problems such as bandages also occurred

Face and iris recognition results (1) n n There were problems in both cases with wheel -chair-based disabled participants, as they could not be placed in the right position in relation to the camera There were problems with hearing-impaired because they could not hear the camera saying go left, go right (the operators did not have a sign-language capability)

Face and iris recognition results (2) n n n There were problems with those with learning difficulties that reacted wrongly or too strongly to camera instructions There were problems with those with behavioural disabilities that could not stay still for a sufficient time There were similar problems with those with physical disabilities if they could not put their head into a vertical position or keep it still

Face and iris recognition results (3) n n n There were problems with people who refused to remove head-gear There were serious lighting problems, aggravated by glasses, contact lenses, bald heads, and dark skins. (Likely to be addressed in a subsequent trial. ) There were problems when people brushed a fringe back between enrolment and verification (similarly removal of glasses)

Where to now? UK Passports Will conform to ICAO recommendations n Will contain face images n May contain other biometrics (not yet decided) n Will be authenticated (PKI) by CAs issued with certificates and keys by HMG n HMG private key held securely in the depths of the Bank of England (or somewhere!) – clearly a target for terrorist or student attack if they can hack it! n CAs will use a derived private key for only a small (to be determined) number of passports

User reactions to the process (1) n n This is what the trial was all about! Generally very favourable Time taken, degree of intrusion, in general either better than or equal to expectations But remember, they were all volunteers

User reactions (2) n n In favour of biometrics being used in passports – Over 90% in favour On a series of questions on whether biometrics will strengthen security of passports, prevent identity fraud, prevent illegal immigration, benefits will outweigh costs – Over 90% positive BUT – contrast media and parliamentary comments! AND – these were all volunteers for the trial

Press comments n n Biometric passports can be forged as easily as normal passports (Rubbish!) (Future) criminals will enrol with all possible registers with multiple identities (A problem with enrolment identification) HMG will be incapable of making such an elaborate IT system work (Perhaps!) The HMG private key is a single point of vulnerability open to attack (Perhaps)

Tail-piece n n n We live in an interesting time! Biometrics standards are not mature, but are being widely deployed! The public is generally accepting them more than justice/liberty lobby groups Lack of perception that the database is what matters for civil liberties, and not the card Lack of perception that biometrics for passports and driving licences will do it all

To measure or not to measure, that is the question n n n Every conference needs its chant: Metrication, metrication Biometrication Some day, some day! We shall overcome, some day! Biometrication – Ya Ya Ya!