Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Standards for New Biometric ID Card Published

Posted by ScuttleMonkey on from the new-face-theft-ring dept.

rts008 writes "eWEEK is reporting that NIST has published the biometric data specs on the new Federal ID cards for employees and contractors that will be issued in October. From the article: 'Specifically, the guidelines state that two fingerprints must be stored on the card as "minutia templates," mathematical representations of fingerprint images. [...] Guidelines require that all biometric data to be embedded in the CBEFF (Common Biometric Exchange Formats Framework) structure. This ensures that all biometric data will be digitally signed and uniformly encapsulated. This format will apply not only to PIV cards, but also to any other biometric records kept by federal government agencies.'" The published standards [PDF] are also available from the NIST web site.

9 of 129 comments (clear)

  1. Implications for British ID cards? by pjt33 · · Score: 3, Insightful

    Maybe this will kill Tony Blair's "We have to have biometric ID cards first so that we can create the de facto standards" argument. Or maybe that's wishful thinking on my part.

  2. Why store them on the card? by EnsilZah · · Score: 3, Insightful

    If i wanted to verify someone's information, i'd rather do so from a secure database rather than a card he gave me.
    Or am i missing something?

    1. Re:Why store them on the card? by Agelmar · · Score: 5, Insightful

      You're missing the fact that the biometric data (actually, likely all data on the card) is signed. Think of it this way:

      The issuer of the card has a certificate issued for that purpose. When the card issuer creates your card, they store your biometric information and a signature of that information on the card. If anyone tries to change the biometric information, the signature is no longer valid. Assuming that the certificate uses strong encryption and that the private part of the certificate's signing key is protected (which are both reasonable assumptions), then the data integrity is ensured.

      This makes a lot of practical sense. If you want to pull everything from a centralized database, then your readers all have to be networked. This means that each reader next to every door in the building must be networked, and while that's fine for many situations, in some areas it's not practical. With the signed data on the card, the user can present their card which contains their biometrics and access credentials, the reader can verify this locally, and then act accordingly. Of course you still need to have a way to publish the root certificate and CRLs from time to time, but it does give you more flexibility.

  3. Re:No thank you by mcheu · · Score: 5, Insightful

    According to the description, this card is for a new government employee ID. I'm Canadian, so I don't know for sure how this is for the US, but up here, if you work for the government, your government department is already going to have a lot of your personal information. While it's not required for all public service jobs, some positions require to get at least a minimal security clearance, and depending on how high a clearance you need to get, you might get fingerprinted. The only thing new here is that they're encoding all that digitally onto your staff ID card.

    It should be rediculously easy to avoid getting one of these cards: Just don't apply for a government job.

  4. 4th Amendment violation? by Antony-Kyre · · Score: 3, Insightful

    I'm not so sure if it's legal to mandate that the employees give up their fingerprints like that.

    Below is the part of the 4th Amendment in which I am referring. Aren't our fingerprints considered to be part of our property? Isn't mandating that they collect our fingerprints without being suspected of a crime an unreasonable search? (It's one thing to do a background check and ask for fingerprints. It's another thing to require your fingerprints be on a card you have to carry around.)

    The right of the people to be secure in their persons, ... against unreasonable searches and seizures, shall not be violated,

    1. Re:4th Amendment violation? by NewbieProgrammerMan · · Score: 3, Insightful

      I'm sure there's a good chance that the 4th amendment can be reinterpreted by the Supreme Court to find that the federal government is empowered to require almost anything of federal employees. And an even higher chance that a team of federal lawyers can write reams and reams on how there's nothing to worry about unless you're a terrorist.

      <dons flame-retardant suit>

      Of course, even if it doesn't officially get interpreted that way, US Presidents seem to be able to get away with doing things that they aren't empowered to do (except receive blowjobs in the Oval Office and tell G. Gordon to break into Democrat headquarters). After all, it's just a goddamned piece of paper!

      --
      [b.belong('us') for b in bases if b.owner() == 'you']
  5. Static bad; biodata static :. biodata bad. by Errandboy+of+Doom · · Score: 3, Insightful

    Aren't static keys always inferior to dynamic keys?* (Isn't that why we're supposed to regularly change our passwords?)

    Isn't biometric data static?

    So why is anyone interested in biometric security?

    Isn't it (perhaps counterintuitively) an inherently insecure means of indentification, by its very nature?

    I must be missing something.

    *(Maybe this is because anything can be duplicated and forged, given enough time. Changing your key a lot makes forging impractical?)

  6. Re:Fingerprints? by MrAnnoyanceToYou · · Score: 4, Insightful

    Unfortunately, as soon as fingerprints are on cards, along with other biometrics, the cards themselves become much more trusted. One of the dangers of security is the appearance of things being more secure than the actual method. Ergo, much more trusted despite only marginally more effective security. This means that when you get the key to the castle, you have one to all the doors. Not good. This is a case of the added value of having such identification on a card being trumped by the reality that if someone gets their hands on it and the ability to use it your financial life is not going to go well for a seriously long time.

    Making a security system more complex does not disallow it from being broken, it simply puts more complex holes in it. The reason anyone wants biometrics on a card is to take advantage of the gathered information, and has nothing to do with wanting more effective fraud reduction.

    --
    My little site.
  7. Re:No thank you by drDugan · · Score: 4, Insightful

    Just don't apply for a government job

    Sorry, it's not that easy. Two problems with this. First, the class of workers that work for/in the gov.t is a huge group, and we have every reason to believe that this class will grow in size.

    Second, you run a slippery slope accepting things you disagree with, even if they don't affect you personally. If it's OK for gov't workers, next it will be OK for everyone. Next everyone will need a biometric ID to use a bank, or travel. Next if you have an outstanding issue with the government, -- oops, no money, can't travel, you're outta-luck buddy. Next Canada will say -- it's OK in the US, we should do that here. etc etc etc...