《ISO-7816-11-2004.pdf》由会员分享,可在线阅读,更多相关《ISO-7816-11-2004.pdf(40页珍藏版)》请在三一文库上搜索。
1、 Reference number ISO/IEC 7816-11:2004(E) ISO/IEC 2004 INTERNATIONAL STANDARD ISO/IEC 7816-11 First edition 2004-04-01 Identification cards Integrated circuit cards Part 11: Personal verification through biometric methods Cartes didentification Cartes circuit intgr Partie 11: Vrification personnelle
2、 par mthodes biomtriques ISO/IEC 7816-11:2004(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer p
3、erforming the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create thi
4、s PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Centr
5、al Secretariat at the address given below. ISO/IEC 2004 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either IS
6、O at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO/IEC 2004 All rights reserved ISO/IEC 7816-11:2004(E)
7、 ISO/IEC 2004 All rights reserved iii Contents Page Forewordiv Introduction v 1 Scope1 2 Normative references .1 3 Terms and definitions.1 4 Abbreviated terms.2 5 Commands for biometric verification processes 2 5.1 Commands to retrieve biometric information2 5.2 Command for a static biometric verifi
8、cation process.3 5.3 Commands for a dynamic biometric verification process3 6 Data elements3 6.1 Biometric information.3 6.2 Biometric data .5 6.3 Verification requirement information6 Annex A (informative) Biometric verification process8 Annex B (informative) Examples for enrollment and verificatio
9、n13 Annex C (informative) Biometric information data objects19 Annex D (informative) Usage of Secure Messaging Templates.29 Bibliography .33 ISO/IEC 7816-11:2004(E) iv ISO/IEC 2004 All rights reserved Foreword ISO (the International Organization for Standardization) and IEC (the International Electr
10、otechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technic
11、al activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technica
12、l committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circu
13、lated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held
14、responsible for identifying any or all such patent rights. ISO/IEC 7816-11 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identification. ISO/IEC 7816 consists of the following parts, under the general title Identification card
15、s Integrated circuit cards: Part 1: Cards with contacts Physical characteristics Part 2: Cards with contacts Dimensions and location of the contacts Part 3: Cards with contacts Electrical interface and transmission protocols Part 4: Organization, security and commands for interchange Part 5: Registr
16、ation of application providers Part 6: Interindustry data elements for interchange Part 7: Interindustry Commands for Structured Card Query Language (SCQL) Part 8: Commands for security operations Part 9: Commands for card management Part 10: Cards with contacts Electronic signals and answer to rese
17、t for synchronous cards Part 11: Personal verification through biometric methods Part 15: Cryptographic information application ISO/IEC 7816-11:2004(E) ISO/IEC 2004 All rights reserved v Introduction This part of ISO/IEC 7816 is one of a series of standards describing the parameters for integrated c
18、ircuit(s) cards with contacts and the use of such cards for international interchange. This part of ISO/IEC 7816 may also apply to contactless cards. INTERNATIONAL STANDARD ISO/IEC 7816-11:2004(E) ISO/IEC 2004 All rights reserved 1 Identification cards Integrated circuit cards with contacts Part 11:
19、 Personal verification through biometric methods 1 Scope This part of ISO/IEC 7816 specifies security related interindustry commands to be used for personal verification with biometric methods in integrated circuit(s) cards. It also defines the data structure and data access methods for use of the c
20、ard as a carrier of the biometric reference data and/or as the device to perform the verification of a personal biometric (on-card matching). Identification of persons using biometric methods is outside the scope of this standard. 2 Normative references The following referenced documents are indispe
21、nsable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7816-4:2003, Identification cards Integrated circuit cards with contacts Part 4: Organi
22、zation, security and commands for interchange ISO/IEC CD 19785:2003, Information technology Common Biometric Exchange Framework Format (CBEFF) 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 biometric data data encoding a feature or features
23、used in biometric verification 3.2 biometric information information needed by the outside world to construct the verification data 3.3 biometric reference data data stored on the card for the purpose of comparison with the biometric verification data 3.4 biometric verification process of verifying
24、by a one-to-one comparison of the biometric verification data against biometric reference data 3.5 biometric verification data data acquired during a verification process for the comparison with the biometric reference data ISO/IEC 7816-11:2004(E) 2 ISO/IEC 2004 All rights reserved 3.6 template as d
25、efined in ISO/IEC 7816-4 WARNING The term “template” means the value field of a constructed data object. It should not be confused with a processed biometric data sample. 4 Abbreviated terms For the purpose of this part of ISO/IEC 7816, the following abbreviations apply. AID Application Identifier A
26、T Authentication Template BER Basic Encoding Rules BIT Biometric Information Template BD Biometric Data BDP BD in proprietary format BDS BD in standardized format BDT Biometric Data Template CCT Cryptographic Checksum Template CRT Control Reference Template CT Confidentiality Template DE Data Elemen
27、t DF Dedicated File DO Data Object DST Digital Signature Template EFID Elementary File ID FCI File Control Information ID Identifier L Length OID Object Identifier RD Reference Data SE Security Environment SM Secure Messaging TLV Tag-Length-Value UQ Usage Qualifier VIDO Verification requirement Info
28、rmation Data Object VIT Verification requirement Information Template 5 Commands for biometric verification processes Commands for retrieval, verification and authentication defined in ISO/IEC 7816-4 are used for biometric verification. Biometric data (e.g. face features, ear shape, fingerprint, spe
29、ech pattern, voice print, key stroke) may need protection against replay or presentation of verification data derived from original biometric data (e.g. a fingerprint, a face photo). A method to prevent this kind of attack is to send the verification data to the card with a cryptographic checksum or
30、 a digital signature applying secure messaging as defined in ISO/IEC 7816-4. Likewise, secure messaging may be used to guarantee the authenticity of the biometric data retrieved from the card. 5.1 Commands to retrieve biometric information The commands as specified in ISO/IEC 7816-4 in the clause re
31、lated to data referencing shall be used for the retrieval of biometric information. ISO/IEC 7816-11:2004(E) ISO/IEC 2004 All rights reserved 3 5.2 Command for a static biometric verification process The command to be used for a static verification process (see Annex A) is the VERIFY command as speci
32、fied in ISO/IEC 7816-4. The information to be conveyed is biometric reference data identifier (i.e. the qualifier of the reference data) biometric verification data. The biometric verification data may be encoded as BER-TLV data objects (see Table 2). The CLA byte may indicate that the command data
33、field is BER-TLV coded (see ISO/IEC 7816-4). For combined biometric schemes, command chaining as defined in ISO/IEC 7816-8 may be used. 5.3 Commands for a dynamic biometric verification process To get a challenge, to which a user response is required (see Annex A), the GET CHALLENGE command shall be
34、 used. The type of challenge in a biometric verification process, e.g. a phrase for voiceprint or a phrase for keystroke, depends on the biometric algorithm, which can be specified in P1 of the GET CHALLENGE command (see ISO/IEC 7816-4). The respective algorithm may be selected alternatively by usin
35、g the MANAGE SECURITY ENVIRONMENT command (e.g. SET option with CRT AT and DO usage qualifier and DO algorithm id in the data field). After a successful GET CHALLENGE command, an EXTERNAL AUTHENTICATE command is sent to the card. The command data field conveys the relevant biometric verification dat
36、a. For coding of the biometric verification data, the same principles apply as for the VERIFY command, see 5.1. 6 Data elements 6.1 Biometric information The Biometric Information Template (BIT) provides descriptive information regarding the associated biometric data. It is provided by the card in r
37、esponse to a retrieval command prior to a verification process. Table 1 defines biometric information DOs. ISO/IEC 7816-11:2004(E) 4 ISO/IEC 2004 All rights reserved Table 1 Biometric information DOs Tag L Value Presence 7F60 Var. Biometric Information Template (BIT) Tag L Value 80 1 Algorithm refer
38、ence for use in the VERIFY / EXT. AUTHENTICATE / MANAGE SE command Optional 83 1 Reference data qualifier for use in the VERIFY / EXT. AUTH. / MANAGE SE command Optional A0 Var. Biometric information DOs defined in this standard Optional 06 41 42 4F Var. Var. Var. Var. Tag allocation authority (see
39、ISO/IEC 7816-6): - Object identifier (OID) - Country authority (see ISO/IEC 7816-4) - Issuer (see ISO/IEC 7816-4) - Application Identifier (AID), identifies the application and its provider (see ISO/IEC 7816-4) The default tag allocation authority is ISO/IEC JTC1/SC37. One of these DOs is mandatory,
40、 if A1 is present A1 Var. Biometric information DOs specified by the tag allocation authority (mandatory indication, see above). See also example in Annex C Mandatory, if A0 is not present Tag L Value 8x/ Ax 9x/ Bx Var. Var. DOs defined by the tag allocation authority . (primitive / constructed) . (
41、primitive / constructed) DO dependent NOTE In case the card does not perform the verification process, the Biometric Information Template may also contain the biometric reference data (see Table 3) and possibly discretionary data (tag 53 or 73) e.g. for data to be delivered to a service system, if v
42、erification is positive (see Annex C). If several BITs are present within the same application, then they shall be grouped as shown in Table 2. Table 2 BIT group template Tag L Value Presence 7F61 Var. BIT group template Tag L Value 02 Var. Number of BITs in the group Mandatory 7F60 Var. BIT 1 Condi
43、tional . 7F60 Var. BIT n Conditional A BIT group template can be recovered e.g. by a GET DATA command reading out of a file in the corresponding DF, EFID found in the FCI, or reading an SE template (see ISO/IEC 7816-4), in which the BIT group template is stored. ISO/IEC 7816-11:2004(E) ISO/IEC 2004
44、All rights reserved 5 6.2 Biometric data Biometric data (biometric verification data, biometric reference data) may be presented as a concatenation of data elements, within a biometric data DO as defined in ISO/IEC 7816-6, or as concatenation of DOs within a biometric data template, see Table 3. Tab
45、le 3 Biometric data DOs Tag L Value Presence 5F2E Var. Biometric data 7F2E Var. Biometric data template Tag L Value 5F2E Var. Biometric data 81 / A1 Var. Biometric data with standardised format (primitive / constructed) 82 / A2 Var. Biometric data with proprietary format (primitive / constructed) At
46、 least one of these DOs is present, if the template is used As shown in Table 3, biometric data may be split up in a part with standard format and in a part with proprietary format, whereby the part with the proprietary format may be used, e.g. for achieving a better performance. The usage of biomet
47、ric data with standardized and proprietary formats is shown in Figure 1. Structure and coding of biometric data are biometric type (e.g. facial features, fingerprint) dependent and out of scope of this standard. ISO/IEC 7816-11:2004(E) 6 ISO/IEC 2004 All rights reserved T.BDT L T.BDST.BDP BD in stan
48、- dardised format L BD in proprie- tary format of A L Card with matching algorithm A IFD with feature extraction algorithm A VERIFY* * = Verification data: * = Verification data: Card with matching algorithm B VERIFY* The matching algorithms A and B belong to the same biometric type, but use differe
49、nt proprietary biometric data e.g. for performance upgrade. However, both are capable of computing the verifica- tion result using only the BD in the standardised format. A, B = Algorithm type BD = Biometric Data BDP = BD in proprietary format BDS = BD in standardised format BDT = BD Template T, L = Tag, Length T.BDT L T.BDS BD in stan- dardised format L IFD with feature extraction alg