ISO IEC TR 30117:2021 pdf download – Information technology — Standards and applications for the integration of biometrics and integrated circuit cards (ICCs).
5 Relationships between biometrics and ICCs 5.1 Architectures for the joint use of biometrics and ICCs ISO/IEC 24787 provides a comprehensive introduction to the different ways that biometrics and ICCs can be integrated into a final application. This is summarized as follows as to provide a brief introduction to the reader of this document. When integrating biometrics into ICCs, four different approaches can be followed: — Off-card biometric comparison (see ISO/IEC 24787): The ICC stores the biometric reference but is not directly involved in comparison processing. The IFD application reads the biometric reference from the ICC, as needed, with biometric verification occurring external to the ICC. — On-card biometric comparison (see ISO/IEC 24787): The ICC both stores the biometric reference, and performs biometric comparison against biometric problems supplied by the IFD. Security controls employed by the ICC for this process include: — Use of cryptography or other controls to prevent unauthorised access to the biometric reference and associated processes; and — Limiting the number of consecutive unsuccessful comparisons and blocking further comparison attempts once a specified threshold has been reached. — Work-sharing on-card biometric comparison (see ISO/IEC 24787): An implementation in which comparison processing, and potentially sample pre-processing, is shared between ICC and external system components. — Biometric system-on-card (see ISO/IEC 24787 and the ISO/IEC 17839 series) The ICC contains a complete reference storage, biometric sample capture and biometric comparison subsystem. Such implementations are limited to modalities using small sensors and constrained processing capabilities. 5.2 Considerations to be addressed when designing the application With these four architectures in mind, the designer and/or developer takes several decisions in order to define the whole system and the relationship between biometrics and ICCs. The following considerations have to be taken into account. They are outlined in the following paragraphs and discussed further in subsequent clauses in this document.
c) Is there an initial requirement of the biometric modality to be used? 1) With an initial requirement, a set of further decisions can already be taken, such as the possibility of using on-card biometric comparison, work-sharing on-card comparison or biometric system-on-card. 2) If there is no initial requirement, the decision on the modality can be taken as any other requirements are satisfied. 3) Once the modality is chosen, then the interoperable data formats have to be checked (see Clause 6 ). 4) Once the modality is chosen, it can also be important to address whether the ICC is expected to also support other biometric verification types on ICC (e.g. off-card comparison) for the same modality. NOTE NIST SP 800-76-2 (see 5.4 Finger selection for details) specification for PIV card (further also referenced within Clause 9 of this document) describes ICC platform with optional fingerprint on- card comparison and mandatory storage of the off-card comparison dedicated fingerprint templates. It also addresses the subject stated above, that using the same reference finger positions for both enrolled for off-card comparison and enrolled for on-card comparison biometric data can lead to security vulnerabilities, if off-card templates would be read-out by an inappropriate party. Therefore, it recommends using different positions for off-card and on-card comparison reference templates. However, it also does not prohibit using the same positions because of usability (the same two positions have to be presented by the cardholder despite the off-card or on-card verification method utilized).