BS ISO IEC 29164:2011 pdf – lnformation technology 一Biometrics — Embedded BioAPl.
Embedded systems are typically characterized by constraints that may include:
a) Memory/storage limitations
b) Processor size/speed limitations
C) Linilted operating system (OS) support
d) Single, hardwired data capture device
a) Standalone (unconnected to a network)
6.2 Security in Embedded BioAPl
Thés International Standard defines two kinds of devices:
Type A: devices that do not implement any kind of security mechanism. This may be due to lack of processing capabilities, use for convenience rather than security purposes, etc..
Type B: devices that implement security mechanisms tot confidentiality, integrity, and/or ACBio generation. The supported medaanisms, the supported algorithm for each of the mechanisms, and the key information are dependent on the device, and shared with the application in advance 01 the execution. If encryption is supported, the BDB of the BIR shall be encrypted. If integrity is supported, it shall be applied to the concatenation of the SHB and the BDB If encryption and integrity are both supported, encryption shall be done first.
NOTE Use of Type B devices is highly recommended. For these devices, the following paragraph defines requirements for handling security, but the mechanisms to be used are out of the scope of this International Standard.
In Type B devices, biometric data shall be exchanged using the Security Block in the BIR. as defined In Clause 10. Therelore, biometric data shall be exchanged using the Security Block In the BIR, as defined in Clause 10. Security mechanisms In communication can be added at the low-level protocol, which Is out of the scope of tbe International Standard. As Type A devices do not Implement security mechanisms, all biometric information exchanged shall be used without a Security Block in the BIR. as defined in ISOflEC 19784-lIArnd. 3 and lSO/IEC 197B5-1.
7 Embedded BIoAPI general architecture
The general architecture (where an Embedded BioAPI conformant biometric module is used) is composed ol two elements, which need to interact in order to provide biometric-related functionality. One of these elements is a General Processing Unit. also called a host, that provides the top-level functionality of the whole device, and needs to connect to an Embedded BioAPI subcomponent (i.e. biometric module) that performs some or all biometric operations (processing, storage, enrolment and/or verification).
Embedded B.0API is intended to support the integration of embedded biometric Embedded BioAPI subcomponents into a host device, Two options exist tot this integration:
1) Monolithic Embedded BioAPI subcomponents (Type 1): A single Embedded BioAPl subconiponent includes the biometric data capture device, storage, and algorithms.
2) Compartmental Embedded Bi0API subcomponents (Type 2): A single Embedded Bi0API
suboomponent which includes at least one but not all of the following capabilities:
) Biometric data capture device — ability to sense and capture the raw biometric data.
Ii) Biometric storage — onboard storage of template data.
ii) Biometric algorithms — the ability to process and compare biometric data.
An example of a Type 1 (monolithic) module is an OEM fingerprint data capture device/board designed to beinstalled into a remote control device and containing “full” biometric functionality including the fingerprint datacapture device，processor,firmware (containing the biometric processing and comparison algorithms), andonboard storage for up to 5 fingerprint templates.
An example of a Type 2(compartmentalized) implementation is an OEM commodity CCD camera capable ofcapturing facial photo images (i.e. the biometric data capture device) to be embedded into a home physicalaccess device and a biometric module capable of processing and comparing facial images produced by thatcamera.In this case , the template storage could occur and be controlled separately by the application or beperformed by the biometric module.
Both types of modules can be generalized in the following figure (Figure 3).As can be seen, a moduleconformant with Embedded BioAPl is a hardware module that performs some or all of the biometric functions.required by a host system and that communicates with such host system through a standardized interface,herein specified as Embedded BioAPl.Optionally, that same module may have the possibility of contactingdirectly another Embedded BioAPl biometric module.