NIST Standards for New Biometric ID Card Published

rts008 writes "eWEEK is reporting that NIST has published the biometric data specs on the new Federal ID cards for employees and contractors that will be issued in October. From the article: 'Specifically, the guidelines state that two fingerprints must be stored on the card as "minutia templates," mathematical representations of fingerprint images. [...] Guidelines require that all biometric data to be embedded in the CBEFF (Common Biometric Exchange Formats Framework) structure. This ensures that all biometric data will be digitally signed and uniformly encapsulated. This format will apply not only to PIV cards, but also to any other biometric records kept by federal government agencies.'" The published standards [PDF] are also available from the NIST web site.

Re:No thank you

[mcheu]

According to the description, this card is for a new government employee ID. I'm Canadian, so I don't know for sure how this is for the US, but up here, if you work for the government, your government department is already going to have a lot of your personal information. While it's not required for all public service jobs, some positions require to get at least a minimal security clearance, and depending on how high a clearance you need to get, you might get fingerprinted. The only thing new here is that they're encoding all that digitally onto your staff ID card.

It should be rediculously easy to avoid getting one of these cards: Just don't apply for a government job.

Re:Why store them on the card?

[Agelmar]

You're missing the fact that the biometric data (actually, likely all data on the card) is signed. Think of it this way:

The issuer of the card has a certificate issued for that purpose. When the card issuer creates your card, they store your biometric information and a signature of that information on the card. If anyone tries to change the biometric information, the signature is no longer valid. Assuming that the certificate uses strong encryption and that the private part of the certificate's signing key is protected (which are both reasonable assumptions), then the data integrity is ensured.

This makes a lot of practical sense. If you want to pull everything from a centralized database, then your readers all have to be networked. This means that each reader next to every door in the building must be networked, and while that's fine for many situations, in some areas it's not practical. With the signed data on the card, the user can present their card which contains their biometrics and access credentials, the reader can verify this locally, and then act accordingly. Of course you still need to have a way to publish the root certificate and CRLs from time to time, but it does give you more flexibility.

Re:Fingerprints?

[MrAnnoyanceToYou]

Unfortunately, as soon as fingerprints are on cards, along with other biometrics, the cards themselves become much more trusted. One of the dangers of security is the appearance of things being more secure than the actual method. Ergo, much more trusted despite only marginally more effective security. This means that when you get the key to the castle, you have one to all the doors. Not good. This is a case of the added value of having such identification on a card being trumped by the reality that if someone gets their hands on it and the ability to use it your financial life is not going to go well for a seriously long time.

Making a security system more complex does not disallow it from being broken, it simply puts more complex holes in it. The reason anyone wants biometrics on a card is to take advantage of the gathered information, and has nothing to do with wanting more effective fraud reduction.

Re:No thank you

[drDugan]

Just don't apply for a government job

Sorry, it's not that easy. Two problems with this. First, the class of workers that work for/in the gov.t is a huge group, and we have every reason to believe that this class will grow in size.

Second, you run a slippery slope accepting things you disagree with, even if they don't affect you personally. If it's OK for gov't workers, next it will be OK for everyone. Next everyone will need a biometric ID to use a bank, or travel. Next if you have an outstanding issue with the government, -- oops, no money, can't travel, you're outta-luck buddy. Next Canada will say -- it's OK in the US, we should do that here. etc etc etc...