NIST Standards for New Biometric ID Card Published 129
rts008 writes "eWEEK is reporting that NIST has published the biometric data specs on the new Federal ID cards for employees and contractors that will be issued in October. From the article: 'Specifically, the guidelines state that two fingerprints must be stored on the card as "minutia templates," mathematical representations of fingerprint images. [...] Guidelines require that all biometric data to be embedded in the CBEFF (Common Biometric Exchange Formats Framework) structure. This ensures that all biometric data will be digitally signed and uniformly encapsulated. This format will apply not only to PIV cards, but also to any other biometric records kept by federal government agencies.'" The published standards [PDF] are also available from the NIST web site.
Re:New CAC Cards? (Score:3, Informative)
Re:Fingerprints- Come on read the summary at least (Score:1, Informative)
Minutia Templates (Score:5, Informative)
It is not possible to recreate the image of a fingerprint from the template. [identix.com]
Re:Fingerprints? (Score:5, Informative)
It doesn't sound like they're storing the actual finger prints, but a mathematical representation of them. Which could mean some kind of one-way mathematical hash, like many computers have for passwords. I'm not saying it's perfect, but I don't see how it's possible to take a set of numbers and create someone else's fingerprints. Sounds like someone's dishing out warm steaming bowls of FUD for breakfast.
You can't get the fingerprint out of the card (Score:1, Informative)
Re:Static bad; biodata static :. biodata bad. (Score:2, Informative)
http://it.slashdot.org/comments.pl?sid=176330&cid
for why it is more 'trustworthy'. As long as the data is signed and the data stored isn't sufficient to generate fingerprints from, a biometric card like this does a pretty good job of ensuring that the card was issued to a person with matching fingerprints.
As far as biometrics providing 'static' versus 'dynamic' keys, if the card stores a salted hash of the actual data, then the keys are dynamic enough to be re-issued. New salt every month or whatever, for newly issued cards. As long as your secret sauce^h^h^lt stays secret, it's fine.
How sure you are that only authorized cards are issued(how secure is your trust mechanism) isn't really part of evaluating the card. It might make the card impractical, but it doesn't change the fact that it is better.
Identity is *hard*. I like to think of my drivers license as a symbol of the fact that the State of Michigan believes I am who I say I am. Other peoples drivers licences are either symbols of the same, or that they were willing and able to pay to fake it. I know I am me, and I know I obtained the license, so I don't have to make the exception for mine being fake. You still do. It is still useful to issue them, as it allows other people to say 'Michigan is careful enough that I can trust that card this much' and use it as my identity with lower risk(probably) than just using whatever I say.
Project website (Score:5, Informative)
Re:Quality of the card is irrelevant (Score:3, Informative)
Because the PIV system is designed so that a single corrupt person in the chain can't wind up issuing a valid credential. The person who sponsors your application is different from the person who collects your biometrics, who's different from the person who puts together your physical card, who's different from the person who checks your biometrics against the final card and issues it to you. You'd have to bribe at least a couple of people in that chain in order to get an illicit card that actually worked.
Re:How does this prevent fake IDs? (Score:3, Informative)
The fingerprint minutiae templates are digitally signed and protected by a PIN, and the cards are only issued by approved PIV Issuers who have to get all of the data used on the card through a secure network that you wouldn't have access to. And even if you did, you'd have to corrupt at least two of the major players in the issuance process in order to create a fake card.