Subproject 4: Biometric Identification System

Verisoft also aims at verifying an industrial biometric identification system. An access system on a host compares biometric data from any biometric sensor with a reference template stored on a smartcard and grants or denies access depending on the degree of similarity between both sets of data. The access software, the cryptographic primitives and their combination, and the security of the underlying cryptographic protocols will be formally verified. Protecting the individual’s reference template from misuse by malicious attackers on the host system is of high relevance in this subproject.

The subproject is headed by T-Systems, whereas T-Systems is in a strong cooperation with DFKI, TU Munich, TU Darmstadt and Saarland University (Prof. Finkbeiner).


Methods of Authentication

There are many applications where identification and authentication of a person is required. The security policy determines the strength of authentication relating to the protection needs of information or resources. There are three methods to verify an identity presented to the system:

  • something you know (PIN, Password, Passphrase);
  • something you have (smartcards, RF-ID, other token);
  • something you are (physiological or behavioral characteristics = biometrics).
Each of the methods as well as all possible combinations determine a specific security level. In this project a high level security authentication system is introduced that combines biometrics and smartcards. The system can operate in offline mode.

Unavoidable problems of biometrics

From the results of field trials we have learned that there are some unavoidable problems in all biometric systems [1][2]:

  • A fault in the biometrics authentication, i.e. the admittance of unauthorised or the rejection of authorised persons, is part of the normal course of operations in a biometric system.
  • For each biometric system there are always persons who do not show the characteristic to a degree sufficient for capturing with a biometric device, or who do not possess the characteristic at all. Therefore, each biometric method needs an alternative backup system.
  • Because most live checks in biometric systems do not work efficiently, these biometric systems have to be supervised.
  • Because this is a lifelong fixation of a user to his biometric data and according to German Federal Data Protection Act (Datenschutzgesetz) we need a complete solution for the privacy-problems before we can put the biometric system into operation.

System Idea

The basic idea of the Chipcard based Biometric Identification System (CBI System) is the smart combination of the established smartcard based methods and the novel biometrics based methods in order to avoid the problems mentioned above.

Security objectives of the CBI-System

The CBI-System realizes an access control of computer resources as well as of buildings. It uses the biometric based method in combination with the token based method to identify and authenticate a user while the token is a cryptographic smartcard. The calling application gets a positive or negative answer from the SBV-System. One or more different and independent biometric reference templates are stored on the smartcard. So a user can be authenticated by using different biometrics according to the security policy and the security level. There are two main security objectives that have to be fulfilled by the CBI-System:

  • increase the security level of fooling the access control system by using two different authentication methods in combination
  • the biometric reference data or reference template are stored locally according to privacy requirements

The first security objective combines the biometric based and the token based authentication methods to reach a higher security level than each of the both methods can provide alone. To be authenticated positively by the system a user first has to present a valid smartcard and then his biometric characteristic. In addition it motivates the use of the biometric system in the verification mode. The security level of a biometric system in identification mode is as high as the quality of the worst reference template in the database.

The second security objective is directly derived from data privacy acts which recommends a decentral storing of any biometric data because they can't be altered and they belong to a person for a long time in contrast to PIN's and passwords which relate to a person and can be altered at any time. A person should be able to hold all necessary authentication data and to keep it under his own control.

Security Requirements

In this subsection, more detailed security requirements are formulated according to the security objectives.

  • the host only accepts valid smartcards
  • the smartcard only accepts valid hosts
  • the biometric data and the biometric reference data must be handled confidentially
  • the host only accepts valid biometric reference data
  • after the matching process the fresh biometric data and the reference data have to be deleted
  • the biometric authentication is successful if the biometric data and the biometric reference data are sufficiently congruent
  • failed biometric matchings are tolerated, but have to be counted

Security Functions

In order to fulfill the requirements given in the subsection above the following security functions have to be implemented.

  • smartcard and host do mutual authentication and the communication is encrypted
  • an error counter of failed authentications is introduced
  • the reference data is digitally signed
  • all biometric data is overwritten by random numbers after the matching
  • an error counter of failed biometric verifications is introduced

What should be verified in Verisoft? (Objectives of SP4)

  • Do the security functions meet the security requirements?
  • Does the source code implement the same security functions as in the top level design?

Work Packages of Subproject 4

AP 4.1 Smartcard Communication Protocol

Content of AP4.1 is in a first step the formalization of the standardized communication protocol between the chipcard, the chipcard terminal and the host (T=1, ISO/IEC 7816-3). In a second step the deadlock characteristic of the communication protocol will be verified (common work with Saarland University (Group Prof. Finkbeiner)).

AP 4.2 Protocol of the CBI-System

The aim of AP 4.2 is the proof that the security functions meet the security requirements using various techniques as cryptographic protocol verification and information flow control. The specification of the system is done in Unified Modeling Language. The formalization and verification will be done in UMLsec by TU Munich and VSE by DFKI. The formalization and verification of the cryptographic primitives is done by TU Darmstadt.

AP 4.3 Implementation of the CBI-System

AP 4.3 will answer the second question: Does the source code implement the same security functions as in the top level design? The CBI-System will be implemented in C-Code (later C0 Code) in order to verify it's correctness against the formal specification. It's a cooperative work with DFKI and TU-Munich.

System Design

The CBI-System is divided into three main parts which are a computer system, the biometric sensor and the smartcard that communicates with the computer system via a smartcard terminal. The host software running on the computer system implements the feature extracting unit, the matching unit, the communication channel between them as well as several cryptographic functions and keys. In addition a display gives the user a feedback of the biometric matching. The display can be a pop up window on the screen or a green and red LED integrated in the sensor. The general construction is shown in the following figure.


The CBI-System can be used as an access control system of computer resources and as an access control of rooms and buildings. To put the former scenario into practice the computer system can be a personal computer or a workstation on which the host software is running. The host software is for instance the PAM module as it is known from UNIX systems. The biometric sensor and the smartcard terminal is externally connected to the computer system.

In the latter scenario the host software is equal to the computer system and is simply a micro-controller with storage capacity. The biometric sensor is internally connected to the host software. Both can be put in a tamper-proof box and installed beside the access controlled door. In a further step the smartcard terminal can as well be integrated in the box.

CBI-System Demonstrator

The demonstrator "keystroke-dynamics with template on card" shows all elements of the Chipcard based Biometric Identification System. A PC with keyboard is needed, the keyboard acts as biometrics sensor. A chipcard-reader, a TCOS-chipcard and the demo-software are included in delivery. The system can enrol the keystroke-behavior of the user, the biometric template will be stored on the chipcard. With this chipcard it is possible to verify the identity of the user anytime at any Verisoft-demonstrator. The system compares the keystroke-behavior of the test person with extract of the keystroke-behavior in the biometric template. In the following figure the main components of the CBI-System demonstrator are shown.



  1. Gunter Lassmann (edt.), Bewertungskriterien zur Vergleichbarkeit biometrischer Verfahren, Version 2.0, 10. Juli 2002, TeleTrusT Working Group 6 'Biometrische Identifikationsverfahren'.
  2. Gunter Lassmann, "Some results on robustness, security, and usability of biometric systems", Proc. ICME 2002, Lausanne, Switzerland, Aug. 2002, vol. 2, pp. 577-580.

Revision 14 Dec 2006