Biometrics on Smart Card

Abstract

Biometrics is being more and more widely used in ID cards. Oneof the most popularly used biometrics ID card is smart card. Inparticular, research into fingerprint authentication using digitizedimages has been on track for decades, but recent advances incomputer hardware, fingerprint sensor technology, smart card,and computational power have finally enabled applications to beaffordably deployed on a large scale. Some computer notebooksand personal digital assistances (PDAs) have built-in fingerprintsensor for users to gain security access. Since the introductionof e-passport by the International Civil Aviation Organization(ICAO), enhanced authentication solution employing smart cardand biometrics aroused attention in many countries and the ITindustry more than ever before. Certain countries, especially inAsia, use fingerprint authentication with e-passport or e-ID cardsat immigration checkpoints to accelerate identity verification timefor citizens to cross the border using an automatic gantry. However,most of the existing solutions are using an authentication techniquecalled off-card biometric comparison, which is a biometric compar-ison performed outside the smart card by biometric verificationsystem against the stored biometric reference data in the user’ssmart card. In other words, the smart card is used as a securedstorage device to retain the user’s information and biometricdata. The major advantages of such technique are (1) easy ofimplementation and (2) low-cost smart card usage. However, themajor disadvantage is that the biometric reference data, which is theuser’s biometric data collected and encoded during the enrolmentprocess, is exposed from the smart card to the outside world duringverification as the biometric comparison is executed at the biometricverification system, which unusually is a PC or an embedded device.Such external communication poses security threats. Hence, toprotect biometric reference data, cryptographic protection usingsecure messaging in smart card is required. If the keys of crypto-operation are compromised or the cryptomechanism is hacked,user’s information and biometric reference data will be lost andrevealed. To overcome the potential security loophole of off-cardbiometric comparison, on-card biometric comparison can be used.On-card biometric comparison is the process by which the smartcard performs biometric comparison and decision making on thesmart card, where the biometric reference data is retained insidethe card. Hence, on-card biometric comparison provides strongersecurity protection for biometric authentication that attracts moreattention from the governments and the IT industry. In 2006, thesubcommittee 17 (SC17) under the Joint Technical Committee of In-ternational Organization for Standardization (ISO) and InternationalElectrotechnical Commission (IEC) formed a new Work Group 11(WG11) to define the functional blocks and components for the useof smart cards in applications, where the comparison of biometricidentifiers is to be performed on-card. As of January 2010, WG11has drafted a document “Information technology — Identificationcards-On-card biometric comparison,” [1] and this document is inthe Final Committee Draft stage (all technical contents are settled;only editorial amendments are allowed until the publication of thisdocument as International Standards). In this paper, an introductionon implementation of on-card fingerprint comparison using ISO/IEC24787 will be presented. A simple local and global structure(LGS) fingerprint matching technique will be introduced and themethodology of using the work-sharing mechanism specified inISO/IEC 24787 will be mentioned. The data structures of smart cardand the security policies, which are application dependent, will notbe addressed in the paper