Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Standards for New Biometric ID Card Published

Posted by ScuttleMonkey on from the new-face-theft-ring dept.

rts008 writes "eWEEK is reporting that NIST has published the biometric data specs on the new Federal ID cards for employees and contractors that will be issued in October. From the article: 'Specifically, the guidelines state that two fingerprints must be stored on the card as "minutia templates," mathematical representations of fingerprint images. [...] Guidelines require that all biometric data to be embedded in the CBEFF (Common Biometric Exchange Formats Framework) structure. This ensures that all biometric data will be digitally signed and uniformly encapsulated. This format will apply not only to PIV cards, but also to any other biometric records kept by federal government agencies.'" The published standards [PDF] are also available from the NIST web site.

5 of 129 comments (clear)

  1. Minutia Templates by Epicyon · · Score: 5, Informative
    What is being stored is the mathmatical representation of the fingerprint, not an image of the fingerprint itself.

    It is not possible to recreate the image of a fingerprint from the template.

  2. Re:Fingerprints? by Reaperducer · · Score: 4, Informative

    But... fingerprints can be stolen. How does storing someone's fingerprint on these cards make them better than any other form of ID? If the image of your fingerprints is on the card, then anyone who has stolen your card can make fake fingerprints

    It doesn't sound like they're storing the actual finger prints, but a mathematical representation of them. Which could mean some kind of one-way mathematical hash, like many computers have for passwords. I'm not saying it's perfect, but I don't see how it's possible to take a set of numbers and create someone else's fingerprints. Sounds like someone's dishing out warm steaming bowls of FUD for breakfast.

    --
    -- I'm old enough to have lived through six different meanings of the word "hacker."
  3. Project website by Midnight+Warrior · · Score: 4, Informative

    For those seeking to follow the actual PIV program for federal employees/contractors, check out their home page.

  4. Re:Quality of the card is irrelevant by Intellectual+Elitist · · Score: 3, Informative
    > Why would I try to crack the card when I could just offer a small sum of money to the nice lady working the security desk, and making the cards? Or if she's got too much integrity for that, I suppose I could just kidnap her son/daughter? I'm quite confident she'd make me a card then.

    Because the PIV system is designed so that a single corrupt person in the chain can't wind up issuing a valid credential. The person who sponsors your application is different from the person who collects your biometrics, who's different from the person who puts together your physical card, who's different from the person who checks your biometrics against the final card and issues it to you. You'd have to bribe at least a couple of people in that chain in order to get an illicit card that actually worked.

  5. Re:How does this prevent fake IDs? by Intellectual+Elitist · · Score: 3, Informative
    > What stops me from making a fake ID card, that says I'm somebody else, but with MY fingerprints encoded in the card.

    The fingerprint minutiae templates are digitally signed and protected by a PIN, and the cards are only issued by approved PIV Issuers who have to get all of the data used on the card through a secure network that you wouldn't have access to. And even if you did, you'd have to corrupt at least two of the major players in the issuance process in order to create a fake card.