D3.2: A study on PKI and biometrics

Title: THE BEE RECOMMENDATIONS (IST-20078 BEE) AND BIOVISION

In the discussion whether biometrics could enhance PKIs, one should make a distinction between (1) the use of biometrics in order to secure the access to the private key by the user, (2) the use of the biometric as an electronic signature and (3) the use of biometric characteristics as a private key in a PKI environment. Biometrics could secure the access to PINs or private keys in a PKI environment. Procedures introducing biometrics into a PKI have been identified and described, e.g., in the IST-20078 BEE project. In this project, biometrics, PKI and smart cards were combined in a concrete security solution in order to address the security needs of sensitive e-commerce applications, such as e-banking, e-government and e-health applications. According to the procedure proposed by the BEE project, the Certification Authority stores the key pair and the biometric template of the authorised user, while the user receives a smart card, containing the user’s certificate, the user’s encrypted private key and the user’s encrypted biometric template, stored in the protected memory area of the smartcard. Upon use of the smart card, the user uses a PIN and the designed biometric measurement for unlocking the access to the private key, which is used for the PKI services. It is suggested that the matching of the PIN and the template is done on the card. Specific security concerns for the use of biometrics apply to the use of biometrics in this scenario as well. If the biometrics are included on a smart card, and due to the presently still limited technical possibilities of such smart cards (such as limited storage and processing capacity for match-on-card), the challenges for securing the use of biometrics on such smart card are even more prominent present. 

Biometrics could also qualify as an electronic signature. An ‘electronic signature’ is defined in the e-signature Directive as ‘data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication’. Biometric characteristics could qualify as data in electronic form and become attached with other electronic data, in order to identify the user. Other legal systems would also accept biometric identifiers as an electronic signature. The advantages for applications such as e-commerce would be that the use of e.g., a fingerprint, by an individual to confirm an electronic transaction is more reliable for the vendor than the use of an ‘I accept and agree’ key in an e-commerce application. The use of biometrics in this case is however not equal to an ‘advanced electronic signature’, for which it is required that the signature is created ‘using means that the signatory can maintain under his sole control’. Biometric characteristics are not secrets and publicly available for those who intend to forge biometric systems (see also below).

The European Art. 29 Data Protection Working Party (WP 29) has indicated that it favours the use of biometric data as encryption keys as a new technology. One could understand that in that case, biometric characteristics become part of the process of establishing the private key. The challenge of this kind of use of biometrics is not only evidence of coping successfully with the specific dangers and threats to biometric systems (e.g., need for authentication of the biometric input device and aliveness tests (see below)) and the privacy friendly implementation of the use of biometric characteristics (see above, e.g., limiting the use of central database, etc) but also the demonstration that biometric characteristics which cannot be considered as private and secret, comply with the requirement of an ‘ advanced electronic signature’ as that it is created ‘using means that the signatory can maintain under his sole control’.  

The use of biometrics in a PKI environment has been briefly touched in the BioVision report on legal and privacy issues. The paper analyses several terms of the e-signature Directive in the light of the use of biometrics. The paper does not state, however, to what extent biometrics could qualify as an electronic signature, whether a ‘simple’ electronic signature, or an advanced one.

ICAO. In 2003, the International Civil Aviation Organisation (ICAO) adopted a global blueprint for the integration of biometric identification information into passports and other Machine Readable Travel Documents (MRTDs). Facial recognition was selected as the globally interoperable biometric for machine-assisted identity confirmation with MRTDs. ICAO also has selected high-capacity, contactless integrated circuit (IC) chips to store identification information in MRTDs — passports, visas and identity cards. States will have the option of using one or two secondary biometrics to supplement facial recognition for personal identification. A specially developed logical data structure (LDS) will provide a framework for programming data to ensure interoperability of travel documents and a modified public key infrastructure (PKI) scheme will provide security of data stored in the IC chip against unauthorised alteration or access. The MRTDs are requested to follow up on the technical report ‘PKI for machine readable travel documents offering ICC read-only access’. The system, however, actually would only provide for the digital signature of the MRTD by the issuing states with the certificate of the signing state stored on the MRTD chips and a public key management held by the ICAO.