Home' RTCA Documents for Review : DO-230H FRAC Contents 58
©2017 RTCA, Inc.
possesses the card and/or PIN and wants to exploit it. A biometric sensor does not have the equivalent risk
of the PIN pad or card reader. The biometric sensor is built to capture a specific type of information directly
from the human body or the unique behavior of the participant. The compromised biometric data is, by
definition, not in a form that can be entered into the system through the normal operation of the biometric
sensor. In order for the situation with the stolen biometric data to result in equivalent vulnerability for the
protected system, the unauthorized user would have to have a way to submit the compromised data into the
biometric processing path. This is much more difficult than entering a stolen PIN or presenting a stolen ID
card to a reader.
Encrypted in Transit and at Rest
It is generally considered best practice to encrypt biometric data when it is transmitted over a network or
stored in a data repository. This prevents unauthorized access to biometric data and protects personal
privacy [Reference Section 9].
Digital Signatures or other Data Protection Mechanisms
Biometric data that is contained in a data record should be digitally signed to prevent alteration or
substitution of the biometric data. When a biometric record is accessed for user authentication transactions,
the digital signature should be checked to validate the integrity of the retrieved biometric record. If the
signature check fails, then the transaction should be rejected [Refer: Section 9].
It is also possible to include a record type in the biometric record header to indicate whether the biometric
data is associated with an enrollment record or a transaction taken from a presented biometric sample. This
record type designation can be checked to ensure that an enrolled biometric record has not been stolen and
replayed to the system to mimic a biometric transaction record.
Threat Vectors and Mitigation Options
Any component of a security system is exposed to threats. This section discusses specific threats and
mitigation approaches related to biometric sub-systems.
As previously referenced, it is possible to fool a biometric sensor with a fake biometric sample, such as a
photograph of a face or iris, fake finger, or voice recording. This type of attack is called sensor “spoofing”
and presumes that the attacker has been able to obtain a high quality representation of a person’s biometric
sample. The biometrics industry has made significant progress in the last few years in developing
countermeasures for such sensor spoofing attacks. The most common technique is to measure the presented
sample to also determine its liveness. For example, face and iris sensors can now detect facial motion or
involuntary pupil dilation to determine liveness. Fingerprint sensors can detect tissue composition, sub-
dermal blood presence, measure the electrical current frequency of living tissue or use sophisticated
software algorithms to determine liveness. Speaker recognition systems can use random challenge-response
pass-phrase prompts to thwart a recording attack.
While this is a topic that is taken seriously by the biometrics industry, there are currently no standards that
describe a specific approach for liveness detection and anti-spoofing countermeasures. Some standards on
testing of this capability are in development, but are not yet published at this writing. An airport operator
should contact his/her consultant, vendor, integrator or an independent testing laboratory to determine the
degree of vulnerability that a specific biometric product might have relative to sensor spoofing. There is
Links Archive Navigation Previous Page Next Page