※For the part 1, please refer to here.
II. Efforts Toward Security Evaluation Using CC
Various approaches to security evaluation of biometric verification products have been made up to now. The author reports on these efforts and the current situation twice, last time and this time. This time, he reports various overseas and domestic efforts related to security evaluation using CC.
1. Efforts in each country and ISO / IEC 19792
It was Great Britain that first tackled a PP development in the field of biometrics. The draft in 2001 can still be referenced on the Internet, but is incomplete.
U.S. Government Biometric Verification Mode Protection Profiles were developed for Basic Robustness Environment and Medium Robustness Environment in the United States in 2007, respectively. These have already expired in 2010. These two PPs have tried to extend security functional requirements for biometric products to complement CC Part 2. In the author’s opinion, however, the extension made the cause of the expiration.
Canada tried to complement the CEM in 2001 and so did CCRA in 2002. There is no detailed information about the former. The latter, known as Biometric Evaluation Methodology Supplement (BEM), deals with biometric performance such as false acceptance and false rejection, but does not deal with the presentation attack detection against artefacts and so forth.
It was ISO / IEC 19792 Security evaluation of biometrics, which was internationally standardized in 2009, that directed the CC evaluation of biometrics. It is impossible to evaluate biometric products using CC without extension. It proposed a framework of security evaluation focused on biometric performance, presentation attack detection, and privacy under the concept of CC. (Masahiro Mimura, who was a co-editor of this international standard, has made a huge contribution to it. The author heard from the German editor recently that a prominent researcher admired that this content could be written as of 2009.)
In Germany one PP was developed in 2008, and two PPs targeted for presentation attack detection were developed in 2009. They are well-organized compared with the previous PPs. The editors of ISO/IEC 19792 were involved in the development of these PPs. These PPs and ISO/IEC 19792 interrelated to each other to improve the quality of these documents.
In addition, the Biometric Evaluation and Technology (BEAT) project was carried out in the EU for four years from 2012 to realize CC evaluation of biometric products based on ISO / IEC 19792. This project has achieved new results on each evaluation of biometric performance and presentation attack detection.
2. Japan’s activities for CC evaluation
For three years from FY 2014, a project of the Ministry of Economy, Trade and Industry (METI) was carried out on CC evaluation of biometric products with the cooperation of various relevant parties. The content of this project was to develop a PP based on ISO/IEC 19792 and to enable CC evaluation of biometric products conforming to this PP.
For making the PP, it was necessary to extend the security function requirements and also to complement CEM. In addition to the above, the project included a CC evaluation trial of a real product. From the time constraints, the trial focused on the vein modality of which Japan has the world’s leading products.
The developed PP was certified in March 2016 as “Biometric Verification Product Protection Profile”. While referring to German PPs, this PP has security functional requirements of both biometric performance and presentation attack detection, and covers enrollment as well as verification. These points are the results ahead of other PPs. In addition, it was developed so that it can be applied to products as many as possible. Each company participating in the project confirmed that and also that the PP can be applied to the product of its own during the PP development. CEM complement was carried out with reference to the results of the BEAT project.
In ISO/IEC 19792, it is written that it is necessary to consider privacy specific to biometrics, but actually there is nothing particular to add to Part 2 of ISO/IEC 15409. As a result there is no extended security functional requirement for privacy in the above PP.
3. International activities for CC evaluation
As mentioned above, the PP development and CEM complement in Japan are based on the results of Germany and EU. The next step is to return the Japan’s results to the world. Such activities are going in SC 27 and CCRA.
In SC 27, ISO/IEC 19989 Criteria and methodology for security evaluation of biometric systems is being developed. The project was established by the proposal from Japan in 2014. After the twice subdivisions, the current project consists of three parts, Part 1 for framework, Part 2 for biometric recognition performance, and Part 3 for presentation attack detection. In this project, the results of the German and BEAT projects are reflected in each part and the extended security functional requirements of the Japan’s PP are reflected in Part 1 as well. The result from the METI’s project on the evaluation methodology for biometric recognition performance is also to be contributed to Part 2.
CCRA, the home organization of CC, founded an iTC (international Technical Community) for biometric security in 2016 under the leadership of IPA, and started a development of a cPP (collaborative PP), which is a common PP in CCRA. At first, the iTC tried to make the cPP as general as possible, and then changed the course to develop a cPP for mobile devices as early as possible, due to the request from smartphone vendors in the iTC members for the need of a cPP of biometric verification products on mobile devices.
In either activity, the final output is the result of the agreement of the participants, and may not be the Japan’s results as they were. Since the Japan’s results were achieved after the discussion by many participants from relevant parties in the METI’s project, the author will work so that they are reflected in both activities as much as possible. He also would like to do his best to make CC evaluation of biometric verification products widely used.
Author of this article
Invited Senior Researcher
Information Technology Research Institute
National Institute of Advanced Industrial Science and Technology (AIST)