Home' RTCA Documents for Review : DO-230H FRAC Contents 57
©2017 RTCA, Inc.
biometric system application models with different scenarios for the storage of biometric references
and comparison; and
guidance on the protection of an individual’s privacy during the processing of biometric
ISO/IEC 24745 can be purchased from the ISO Website [Refer: Appendix A: References].
In accord with local policy and compliance requirements, biometric data may or may not be centrally stored.
Unless prohibited by local law or policy, Industry best practices recommend that all original biometric
images (i.e. fingerprints, iris and facial images) be retained to support the following four critical purposes:
re-issuance of a credential, technology independence, potential CHRC re-submission requirements, and
Re-issuance - When a credential is lost, stolen or damage, local policies may enable re-issuing a
new credential without a full re-enrollment. Retained original biometric data enables re-issuance
without requiring the participant to appear in person for re-capturing biometric characteristics.
Technology Independence - Retaining the original biometric data can eliminate the costly process
of re-enrolling a population of participants to accommodate a technology change such as new
sensors, change in template formats or change in matching algorithms.
CHRC Requirements - Original biometric data may be the only form that is accepted for
submission for background check purposes where the data is sent to a law enforcement agency such
as the FBI. It is possible that the images may need to be re-submitted to the FBI or other agency
because of quality or other technical issues.
Forensic Investigation - Original biometric data may be required as templates do not retain enough
information to support adjudication where the de-duplication service identifies a potential match.
When protecting biometric data, it is important to consider central storage of the originally captured
biometric raw data or image data in a separate database or an off-line repository. This is critical to reduce
the risk of “break the server, acquire all the data” in a single attack scenario.
There are specific privacy concerns related to biometric information because of its unique and permanent
nature. If a password is compromised or an ID card is stolen, then it is easy to create a new one and revoke
the old one. But a biometric characteristic is, by definition, a permanent feature of a person. So the question
is often asked if biometric data is compromised, how can the system be protected while still authorizing
access to the legitimate participant. The permanent nature of biometric data presents specific reasons why
biometric data should be protected through encryption when at rest or in transit. Even though biometric
data describes a permanent feature, there are aspects of the way that biometric data is formatted and used
that makes it difficult to exploit for nefarious purposes.
When biometric data is stored for authentication purposes, either on an access card or within an access
control system, it is typically in the form of templates instead of the initial captured biometric raw data or
image. The template is a smaller record that contains only the mathematical representation of the biometric
characteristic that is required for matching purposes. In fact, all biometric matching takes place only after
an image, or raw biometric data, has been processed into a template through a process known as “feature
extraction” or “template generation”. Since biometric data stored in a template format cannot be easily
reconstructed into the original input images, personal privacy is further enhanced.
Even though the biometric data cannot be easily changed like a PIN, the two situations are not completely
equivalent. The threat posed by the compromise of a PIN or stolen ID card is very easy to exploit. All the
unauthorized user has to do is enter the PIN and/or present the card to the reader and he has all the privileges
of the rightful owner. If the unauthorized user obtains the biometric data, he/she still has the non-trivial
problem of how to exploit it. The problem is in no way equivalent to the situation where the criminal
Links Archive Navigation Previous Page Next Page