ISO/IEC TR 30117:2021

TECHNICAL ISO/IEC TR
REPORT 30117
Second edition
2021-08
Information technology — Standards
and applications for the integration
of biometrics and integrated circuit
cards (ICCs)
Technologies de l'information — Normes et applications pour
l’intégration des données biométriques et cartes à circuits intégrés
Reference number
©
ISO/IEC 2021
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 1
5 Relationships between biometrics and ICCs . 3
5.1 Architectures for the joint use of biometrics and ICCs . 3
5.2 Considerations to be addressed when designing the application . 3
6 Data formats . 6
6.1 General . 6
6.2 Single modality plain biometric data formats . 6
6.3 Encapsulation of multiple modalities and/or security mechanisms . 8
6.4 ICC-specific definitions on biometric data formats . 9
7 Privacy and security . 9
8 Outside-ICC application development .11
8.1 General overview .11
8.2 Local applications .11
8.3 Client-server implementations .11
9 Use cases profiles .12
10 Technology evaluation .13
11 Implementing solutions merging the use of ICCs and biometrics.14
11.1 Spanish national ID card (DNIe) .14
11.1.1 General.14
11.1.2 Biometric services provided .15
11.1.3 Biometric modalities and data formats .15
11.1.4 Security mechanisms and operations .16
11.1.5 Evaluations and results .16
11.2 ePassport.16
11.2.1 General.16
11.2.2 Biometric services provided .17
11.2.3 Biometric modality and data formats .18
11.2.4 Security mechanisms and operations .18
Bibliography .20
© ISO/IEC 2021 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO's adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see www .iso .org/ iso/ foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 17, Cards and security devices for personal identification.
This second edition cancels and replaces the first edition (ISO/IEC TR 30117:2014) which has been
technically revised.
The main changes compared to the previous edition are as follows:
— Addition and update of references to the related projects in all relevant standardization bodies.
— Addition to the Scope, to include not only on-card biometric comparison, but all other interactions
of biometrics and integrated circuit cards (ICCs).
— Addition of the example of the ePassport, which is a widely-deployed application using off-card
biometric comparison.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html and www .iec .ch/ national
-committees.
iv © ISO/IEC 2021 – All rights reserved

Introduction
There are a large number of applications where the need for implementing jointly integrated circuit
cards (ICC) and biometrics can arise. In those cases, system designers and integrators need to be aware
of the range of international standards and technical reports that are applicable. All of these potential
reference documents have been developed by different standardization bodies and committees. ISO/
IEC JTC1 (Joint Technical Committee) subcommittees develop standards in the following areas:
ICCs:
ISO/IEC JTC 1 SC 17 (Information technology — Cards and security devices for personal identification)
Security aspects:
ISO/IEC JTC 1 SC 27 (Information technology — Information security, cybersecurity and privacy protection)
Biometrics:
ISO/IEC JTC 1 SC 37 (Information technology — Biometrics)
Other regional or sectoral standardization bodies are also applicable.
In this context, the system designer and developer have a large number of documents at their disposal,
but with little information about which of them is really applicable. There are no general rules, as
depending on the application, different alternatives are available.
This document provides information on the published documents and relates them to the kind of
application to be developed. When referring to different applications, these will be classified attending
to the verification needs of the application, not to the final sector where the application is to be deployed.
This document provides information on the published documents and relates them to the kind of
application to be developed.
Interactions among standards cover different implementation levels, from data formats to be used to
the application profiles, including application programming interfaces (APIs) and security mechanisms.
This document places special emphasis on providing recommendations and policies needed by
developers to integrate the use of both biometrics and ICCs in applications.
The structure of this document is as follows:
— Clause 5 provides a first overview to the different decisions that have to be taken when developing
an application that can involve the use of ICCs and biometrics.
— Clauses 6 to 10 provide an overview to the different International Standards and Technical Reports
that can be applicable to the application to be developed.
— Clause 11 provides examples of implementations that can be used by application designers and
developers as guidelines.
All ISO/IEC documents mentioned in this document are listed in the Bibliography at the end of this
document.
NOTE Future editions of this document will add more information about Biometric System-on-Card
technology and the use of the PBO command.
© ISO/IEC 2021 – All rights reserved v

TECHNICAL REPORT ISO/IEC TR 30117:2021(E)
Information technology — Standards and applications for
the integration of biometrics and integrated circuit cards
(ICCs)
1 Scope
This document summarizes how some of the main international standards and recommendations
approach personal identification and its related information security, with regard to the integration of
biometrics and integrated circuit cards (ICCs). It also provides examples of how biometrics and ICCs are
integrated in applications.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 2382-37, Information technology — Vocabulary — Part 37: Biometrics
3 Terms and definitions
For the purpose of this document, the terms and definitions given in ISO/IEC 2382-37 and the following
apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
NOTE ISO/IEC 2382-37 is freely available at https:// standards .iso .org/ ittf/ Publicl yAvailable Standards/
index .html
3.1
biometric template
set of stored biometric features comparable directly to probe biometric features
Note 1 to entry: In the ISO/IEC 7816 series, the term "template" has a completely different meaning, being in that
case the “value field of a constructed data object”, regardless to whether the data object relates to biometrics or
not.
4 Symbols and abbreviated terms
APDU Application Protocol Data Unit
API Application Programming Interface
ASN.1 Abstract Syntax Notation One
BAC Basic Access Control
BDB Biometric Data Block (as defined in the ISO/IEC 19785 series)
© ISO/IEC 2021 – All rights reserved 1

BDIR Biometric Data Information Record
BFP Biometric Function Provider
BIAS Biometric Identity Assurance Services
BioAPI Biometric Application Programming Interface
BIR Biometric Information Record
BSoC Biometric System-on-Card
BSP Biometric Service Provider
CA Certification Authority
CBEFF Common Biometric Exchange Format Framework (defined in the ISO/IEC 19785 series)
CEN European Committee for Standardization
CENELEC European Committee for Electrotechnical Standardization
COS Card Operating System
DNI Documento Nacional de Identidad (Spanish National ID Card)
DO Data Object
EAC Extended Access Control
ICAO International Civil Aviation Organization
ICC Integrated Circuit Card
IFD Interface Device
LDS Logic Data Structure
MRTD Machine Readable Travel Document
NIST National Institute of Standards and Technology
PAD Presentation Attack Detection
PBO Perform Biometric Operation (command defined in ISO/IEC 7816-11)
PIV Personal Identity Verification (US Federal government-wide credential)
PKI Public Key Infrastructure
PP Protection Profile
REST Representational State Transfer
SOA Service Oriented Architecture
SOAP Simple Object Access Protocol
ST Security Target
TLV Tag Length Value (data coding format)
2 © ISO/IEC 2021 – All rights reserved

TR Technical Report
TS Technical Specification
WG Working Group
XML Extensible Markup Language
XSD XML Schema Definition
5 Relationships between biometrics and ICCs
5.1 Architectures for the joint use of biometrics and ICCs
ISO/IEC 24787 provides a comprehensive introduction to the different ways that biometrics and ICCs can
be integrated into a final application. This is summarized as follows as to provide a brief introduction
to the reader of this document. When integrating biometrics into ICCs, four different approaches can be
followed:
— Off-card biometric comparison (see ISO/IEC 24787): The ICC stores the biometric reference but is
not directly involved in comparison processing. The IFD application reads the biometric reference
from the ICC, as needed, with biometric verification occurring external to the ICC.
— On-card biometric comparison (see ISO/IEC 24787): The ICC both stores the biometric reference,
and performs biometric comparison against biometric problems supplied by the IFD. Security
controls employed by the ICC for this process include:
— Use of cryptography or other controls to prevent unauthorised access to the biometric reference
and associated processes; and
— Limiting the number of consecutive unsuccessful comparisons and blocking further comparison
attempts once a specified threshold has been reached.
— Work-sharing on-card biometric comparison (see ISO/IEC 24787): An implementation in which
comparison processing, and potentially sample pre-processing, is shared between ICC and external
system components.
— Biometric system-on-card (see ISO/IEC 24787 and the ISO/IEC 17839 series) The ICC contains a
complete reference storage, biometric sample capture and biometric comparison subsystem.
Such implementations are limited to modalities using small sensors and constrained processing
capabilities.
5.2 Considerations to be addressed when designing the application
With these four architectures in mind, the designer and/or developer takes several decisions in order to
define the whole system and the relationship between biometrics and ICCs. The following considerations
have to be taken into account. They are outlined in the following paragraphs and discussed further in
subsequent clauses in this document.
a) Is the system going to be implementing a verification scheme (i.e. the user claims his/her identity
and the comparison is only made between the sample provided and the biometric reference of the
© ISO/IEC 2021 – All rights reserved 3

claimed user), or an identification scheme (i.e. the biometric sample is to be compared to the whole
database of users enrolled)?
1) If an identification scheme is used, then there is no need for a further relationship between
biometrics and ICCs, and in such case this document is not applicable.
b) Is the system considering the use of a centralized database, or is it going to be implemented in a
distributed way?
1) If a centralized database is going to be used and such database is going to be contacted at
every single verification attempt, then the need for a further relationship between biometric
information and ICC is not needed. Therefore, this document is not applicable. The ICC will act
only as a means to claim the user identity.
c) Is there an initial requirement of the biometric modality to be used?
1) With an initial requirement, a set of further decisions can already be taken, such as the
possibility of using on-card biometric comparison, work-sharing on-card comparison or
biometric system-on-card.
2) If there is no initial requirement, the decision on the modality can be taken as any other
requirements are satisfied.
3) Once the modality is chosen, then the interoperable data formats have to be checked (see
Clause 6).
4) Once the modality is chosen, it can also be important to address whether the ICC is expected to
also support other biometric verification types on ICC (e.g. off-card comparison) for the same
modality.
NOTE NIST SP 800-76-2 (see 5.4 Finger selection for details) specification for PIV card (further
also referenced within Clause 9 of this document) describes ICC platform with optional fingerprint on-
card comparison and mandatory storage of the off-card comparison dedicated fingerprint templates.
It also addresses the subject stated above, that using the same reference finger positions for both
enrolled for off-card comparison and enrolled for on-card comparison biometric data can lead to
security vulnerabilities, if off-card templates would be read-out by an inappropriate party. Therefore,
it recommends using different positions for off-card and on-card comparison reference templates.
However, it also does not prohibit using the same positions because of usability (the same two positions
have to be presented by the cardholder despite the off-card or on-card verification method utilized).
5) In practice, multiple modalities can be used to address a higher level of security, flexibility
and also interoperability, i.e. face + fingerprints, where the latter enables interoperability at
compact format feature (minutiae) set level if face proprietary feature set encoding is used.
6) Although theoretically possible, the use of multiple biometrics in on-card biometric comparison
or in BSoC can raise usability issues. Not only can an excessive interaction be requested, but
also delays in decision taking can appear due to the increase in computational needs.
7) In either case, data quality control has to be considered for both the biometric reference and
the biometric probe, prior to applying any biometric operation.
d) What are the initial requirements of ICC’s resources?
1) If there is the requirement of using an ICC with insufficient processing capability, then
alternatives such as off-card comparison or work-sharing on-card comparison can be
compromised.
2) If there is the requirement of using an ICC with limited storage capacity, then the number of
references to be stored on the ICC, or the modalities to be used can be limited and/or the use
of compact data formats can become a major requirement (see Clause 6). Attention is drawn to
the face that the limitations imposed by compact data formats also have to be considered (e.g.
4 © ISO/IEC 2021 – All rights reserved

ISO/IEC 19794-2 compact card format maximum value for the minutiae x and y coordinate is
25,5 mm).
e) Steps to be followed to reach interoperability:
1) If there is no need, then the designer can decide to create his/her own solution without
following any standard. Therefore, this document cannot be applicable. This option is not
recommended as the need for interoperability can arise at any time during the project, or when
applying the development done for the current project to future ones.
2) If interoperability is required for exchanging data, then refer to Clause 6. As it will be seen, it
can happen that for reaching global interoperability in a specific modality, being independent
on the algorithm to be used, the use of captured sample data in standardized format can
become the only viable solution (e.g. the face image coded as ISO/IEC 19794-5, instead of a
proprietary feature-based information).
3) If interoperability is required to have multiple technological providers, then not only
data interoperability is requested, but also interoperability at API level and from security
mechanisms. See Clauses 7 and 8.
4) The use of more complex products, such as on-card biometric comparison ones or biometric
system-on-card, contributes to reaching interoperability, as there is only the need to focus on
data interoperability (and can be security mechanisms), avoiding all technological differences
coming from technological solutions at algorithm level.
5) In the use of biometrics, the quality of the data used plays a major role in the performance
and usability of the system. Data quality has to be analysed, so as to allow the system to reject
the input if a minimum quality threshold is not achieved. This is not only important for the
biometric probe, but even more important for the biometric reference. If the reference presents
low quality, then the performance of the rest of the verifications is compromised. Therefore,
the system designer has to be aware if there are some quality specifications for the application,
or if not, to define those for both enrolment and verification. Data quality thresholds can
be more restrictive for enrolment than for verification, to ensure a proper operation in the
daily use of the system. There are standards devoted to the definition of quality metrics for
several biometric modalities, such as the ISO/IEC 29794 series. Additionally, for the case of
on-card biometric comparison, there are also definitions in ISO/IEC 24787 regarding Minimal
Verification Quality DOs inside Biometric Comparison Parameters DO, as well as considerations
on the minimal reference / verification data quality to be addressed for the on-card comparison
engine on the ICC for enrolment or verification respectively.
6) When ICCs are in use, it is important to use interindustry APDU command exchange, as to allow
a good level of interoperability. The ISO/IEC 7816 series (in particular Part 4) describes those
interindustry APDUs. Also, for some applications, there is even a workflow recommended
which has to be followed, such as the one described in ISO/IEC 24787 for on-card biometric
comparison. For example, when designing an application using on-card biometric comparison,
the interindustry APDU commands described in ISO/IEC 7816-4, ISO/IEC 7816-11, and
ISO/IEC 24787, are to be used for reaching interoperable on-card comparison implementations.
f) In many parts of the world, biometric data are considered personal data, and therefore are to be
protected as to ensure citizen's privacy. Depending on the environment where the application is
going to be deployed, the use of security mechanisms becomes a major requirement. See Clause 7
for the works already done in this area.
g) The most typical scenario for designing and developing a new project involving ICCs and biometrics
is integrating technological modules from several providers. Furthermore, many project designers
require more than one provider for each technological module to be integrated. In this kind of
scenario, standardized APIs are to be used to ease integration. Clause 8 provides further details.
h) For certain applications there is the need of following already defined specifications. Clause 9
describes the current available specifications.
© ISO/IEC 2021 – All rights reserved 5

i) Either to select the technological modules to be integrated, or to provide final results to the end
user about the behaviour of the whole project, an evaluation methodology is required. Clause 10
describes the evaluation-related standards related to ICC, biometrics and security.
In addition to the above information, Clause 11 provides examples that could serve as guidance for
implementing ICC-based biometric solutions, based, or not, on ISO/IEC 24787.
6 Data formats
6.1 General
As long as data for exchanging are encapsulated in an ICC according to the ISO/IEC 7816 series, either
the biometric information template DO’7F60’ or the biometric information group template DO’7F61’
defined in ISO/IEC 7816-11 are considered.
As biometric data can contain information on one or more modalities, several options have to be
considered. The following sub-clauses detail those options, from the mono-modality version, to the
specific definitions already written for ICC-based applications.
6.2 Single modality plain biometric data formats
ISO/IEC JTC1 SC37 is in charge of developing standards that provide interoperable ways to code
biometric data, depending on the modality. Since its funding, three generations of the biometric data
formats have been generated. The two first generations have been published within the ISO/IEC 19794
series, while the third one is being published in the ISO/IEC 39794 series.
It is important to note that the differences introduced in each generation, has made them not fully
compatible. The first generation was published in 2005-2007, while the second one was published
from 2011 and beyond. The typical process for ISO/IEC international standards is that, when a new
edition is published (i.e. a new generation), the previous one is considered deprecated. But for certain
parts of ISO/IEC 19794, the first edition (i.e. first generation) has been retained as published, as it is
currently used by some world-wide applications, such as the ePassport. In order to try to avoid further
deprecations, the third generation has been published under a new standard number, i.e. ISO/IEC 39794
series.
The structure of both the ISO/IEC 19794 series and the ISO/IEC 39794 series is the following:
— Part 1 provides a general framework to be applied to all the other parts. It defines the general
structure for the biometric data records and the common elements of such structure. It explains
that each biometric data information record (BDIR) is to be composed of a general header that
introduces the information to be followed, and one or more representations (i.e. biometric samples
from the same user and the same modality), are structured into a representation header and the
representation data. Part 1 defines those common elements of each of the headers. In a more generic
way, Part 1 specifies the following:
— general aspects for the usage of biometric data records;
— the processing levels and types of biometric data structures;
— a naming convention for biometric data structures;
— coding scheme for format types.
— Part 2 and successive parts provide the information about those extra elements to be added to the
different headers, plus the way the representation data are to be coded. This is done for each of the
modalities defined. Table 1 shows the relationships between each part and each generation.
6 © ISO/IEC 2021 – All rights reserved

Table 1 — Biometric modality standardized data formats (publication year)
st nd rd
Part Title 1 Generation 2 Generation 3 Generation
number (ISO/IEC 19794 (ISO/IEC 19794 (ISO/IEC 39794)
ed1) ed2)
2 Finger minutiae data 2005 2011 Planned 2022
3 Finger pattern spectral data 2006 - -
4 Finger image data 2005 2011 2019
5 Face image data 2005 2011 2019
6 Iris image data 2005 2011 2021
7 Handwritten signature/sign time se- 2007 2014
ries data
8 Finger pattern skeletal data 2006 2011
9 Vascular image data 2007 2011 2021
10 Hand geometry silhouette data 2007 - -
11 Handwritten signature processed dy- - 2013
namic data
12 Face identity data - - -
13 Voice data - 2018
14 DNA data - 2013
15 Palm crease image data - 2017
16 Full body image data - - 2021
17 Gait image sequence data - - 2021
For some of these modalities, more than one biometric data interchange format is defined. The main
differences between these biometric data for one modality are the amount of data and computational
effort. For ICC’s limited resources, i.e. size of storage and computational power, consideration of
selecting biometric data and its format are required.
The differences between the ISO/IEC 19794 (and ISO/IEC 39794) generations mainly relate to two
aspects:
— Elements to be included and whether they are mandatory or optional. In between generations, the
need of adding/removing fields (typically adding), and making them either mandatory or optional
was detected. Sometimes the decision on making a field mandatory changed several times between
nd
generations (e.g. some fields can be mandatory in the 2 generation and then changed to optional
rd
in the 3 generation).
— How the information is coded into the BDIR:
st
— 1 generation: The coding was made purely binary, with no tags indicating which field is being
coded. Therefore, the order and length of fields was fixed, with no possible dynamic change.
This way of coding required adding some length fields and, in some cases, fields indicating
the presence or absence of further optional fields. Compact card formats are defined in
ISO/IEC 19794-2 and ISO/IEC 19794-7.
nd
— 2 generation: Two different kinds of coding are considered in this generation. The first one is
st
a binary one, similar to the one defined in the 1 generation. Unfortunately, as new fields were
included, and also some others changed their specification (including length), this binary coding
st
is incompatible with the one of the 1 generation. The second coding defined is an XML coding,
where all specified fields are defined within an XML schema. XML formats are unlikely to be
utilized within on-card comparison or other ICC-related systems due to common restrictions
on memory consumption within such ICCs.
rd
— 3 generation (specified in ISO/IEC 39794 instead of a new edition of ISO/IEC 19794): Noting
st nd rd
the lack of compatibility between the 1 and the 2 generation, this 3 generation has been
© ISO/IEC 2021 – All rights reserved 7

defined to allow future backward compatibility. This is the reason for calling this series of
standards "Extensible biometric data interchange formats". The formats are specified using
ASN.1, allowing implementations in TLV, and using XSDs.
6.3 Encapsulation of multiple modalities and/or security mechanisms
In addition to the data formats defined in ISO/IEC 19794 and ISO/IEC 39794 which are defined as to
include the information from a single user and a single modality, ISO/IEC JTC1 SC37 has also defined a
meta-structure called CBEFF (i.e. the ISO/IEC 19785 series of standards), that allows:
— the coding of biometric information from more than a single user;
NOTE 1 When multiple CBEFF BIR structures for multiple users are supported, new functions for an ICC
have to be required.
— the coding of biometric information from more than one modality; and
NOTE 2 When multiple CBEFF BIR structures are supported, new functions for an ICC have to be required.
— protecting biometric data by using security mechanisms that can cipher and/or authenticate the
data included in the CBEFF BIR structure.
A CBEFF BIR is composed of a
— standard biometric header in a particular patron format (as defined in ISO/IEC 19785-1 and being
the patron formats defined in ISO/IEC 19785-3). This header introduces the information embedded
into the BIR;
— the biometric data block (BDB), which can be a BDIR defined in ISO/IEC 19794 or ISO/IEC 39794;
and
— an optional security block (as defined in ISO/IEC 19785-1 and ISO/IEC 19785-4) that embeds the
data needed for protecting the biometric information.
CBEFF also allows multiple BDB, such as a multiple CBEFF BIR structure and complex CBEFF BIR
structure. The former can contain multiple BIRs and the latter can contain multiple BDBs, each having
its own standard biometric header plus additional standard biometric headers that express the
relations among the BDBs.
The way that CBEFF records can be coded can change from one architecture to another. This is why
ISO/IEC 19785-3 defines several ways to code CBEFF records in what is called a patron format. There
are patron formats defined for binary coding, with different system word lengths, others for XML
coding, etc. Most of them are defined using ASN.1 formal language.
ISO/IEC 19785-3 defines two CBEFF TLV-encoded patron formats for use with ICCs or other tokens
(with either biometric off-card or biometric on-card comparison), which use different tag allocation
authority encoding approaches within Biometric Information Template data element.
— The first is ISO/IEC 19785-3:2020, Clause 11 "TLV-encoded patron format, for use with smartcards
or other tokens (with implicit tag allocation authority)" available since the first CBEFF edition of
the ISO/IEC 19785-3 edition dated in 2007. It is a legacy format, as it restricts the independent
tag assignment by different ISO/IEC JTC1 SC37 and SC17 tag allocation authorities. It is used for
backwards compatibility with deployed and currently widely used off-card comparison (e.g.
ePassport) and old on-card comparison biometric solutions. This legacy CBEFF TLV-encoded
patron format does not utilize either card level (configuration data) or application level (biometric
algorithm parameters) optional on-card comparison data elements from ISO/IEC 24787. The format
uses ISO/IEC 19794 series modality-specific biometric algorithm parameters optional data elements
instead. The format itself is referenced by the preceding first editions of the ISO/IEC 7816-11 and
ISO/IEC 24787 on-card comparison dedicated standards.
8 © ISO/IEC 2021 – All rights reserved

— The second is ISO/IEC 19785-3:2020, Clause 19 "TLV-encoded patron format for ICCs and other
tokens (with explicit tag allocation authority)" introduced since the third CBEFF edition of
ISO/IEC 19785-3:2020 to resolve the preceding format restrictions. It is recommended to be used in
all future biometric on-card or off-card comparison solutions. This state of art TLV-encoded patron
format incorporates the current and possible future ISO/IEC 24787 on-card comparison enabled
card level (e.g. biometric functionality information) and application level (e.g. biometric comparison
parameters) optional data elements. It is also referenced by the most recent ISO/IEC 7816-11 and
ISO/IEC 24787 on-card comparison dedicated standards.
6.4 ICC-specific definitions on biometric data formats
ISO/IEC 7816-11 defines PERFORM BIOMETRIC OPERATION (PBO) command and supplemental
specification of VERIFY command for biometric operation. The instruction byte (INS) of PBO command
and the specification of VERIFY command are defined in ISO/IEC 7816-4. ISO/IEC 7816-11 also defines
biometric information template for encapsulating CBEFF BIR. It includes the use of ICCs either in on-
card biometric comparison, as well as store-on-card solutions. It specifies a Biometric Information
Template through the use of standard TLV-encoded data elements.
As mentioned above, ISO/IEC 7816-11 specifies two different ways of representing that data. The first
st
one, defined from the 1 edition of the standard and kept for legacy reasons, is devoted to those cases
where the tags used are allocated implicitly. The second one is by explicitly indicating the tag allocation
authority used, which is to be used for all new developments. Both of them are specified in conformance
with ISO/IEC 19785-3:2020, Clause 11 for the implicit case, while Clause 19 is to be used for the explicit
tag allocation authority.
On the other hand, ISO/IEC 24787 introduces one off-card biometric comparison architecture and three
on-card biometric comparison architectures. It defines framework for on-card biometric comparison,
e.g. biometric data, enrolment and comparison. It also defines security policies for on-card biometric
comparison. ISO/IEC 24787 enhances the specifications in ISO/IEC 7816-11, by providing requirements
for the biometric comparison while using a compliant on-card biometric verification. The system
has to encode public biometric information and private biometric data in an ISO/IEC 19785-3 and
ISO/IEC 7816-11 (also optionally ISO/IEC 19794 or the ISO/IEC 39794 series) standards compatible
manner. That biometric data is managed between IFD and ICC, and also internally within ICC
(e.g. verification retry counters) in an ISO/IEC 7816-11 and ISO/IEC 7816-4 compatible manner.
ISO/IEC 24787 also defines additional data elements for encoding of the on-card comparison enabled
card level (biometric functionality) information or application level (biometric comparison parameters)
information for appropriate security policies.
7 Privacy and security
Biometric data are considered in many scenarios as personal data, and protection of such data is
required. As already mentioned, CBEFF (i.e. ISO/IEC 19785-1) defines a security block. Such a security
block is intended to hold information for protecting the biometric data, e.g. cryptographic checksum
which provides integrity (authenticity). Furthermore, ISO/IEC 19785-4 specifies the format for the
security block. But in order to reach interoperability the international standards and reports developed
by ISO/IEC JTC1 SC27 have to be considered. ISO/IEC JTC1 SC27 encompasses security and privacy in all
information technology fields. Within its standards portfolio, the main ones related to biometrics are:
— Dealing with application design and security and privacy scenarios the following standards are
initiated, which will be further referenced in Clause 9:
— ISO/IEC 29100 on the privacy architecture framework;
— ISO/IEC 29101 on the privacy reference architecture;
— ISO/IEC 29146 on framework for access management;
— ISO/IEC 24760 on framework for identity management;
© ISO/IEC 2021 – All rights reserved 9

— ISO/IEC 29115 on entity authentication assurance framework;
— ISO/IEC 29191 on requirements for partially anonymous, partially unlinkable authentication;
— ISO/IEC 29190 on privacy capability assessment model;
— ISO/IEC 19792 on security evaluation of biometrics, which is also mentioned later in Clause 10.
— ISO/IEC 24761 on authentication context for biometrics (ACBio). It specifies the way that security
mechanisms are to be used, and how information is to be coded into the security block (as defined
in ISO/IEC 19785-1).
— ISO/IEC 24745 on biometric information protection, which specifies the way biometric information
can be used to achieve cancellable biometric references, i.e. what is also known in the industry as
“biometric template protection”.
— ISO/IEC 20889 on privacy enhancing data de-identification techniques.
— ISO/IEC 19989 series on criteria and methodology for security evaluation of biometric systems.
This series has the following parts:
— Part 1 specifying the framework.
— Part 2 specifying the performance in biometric recognition.
— Part 3 specifying the presentation attack detection (PAD).
1)
— ISO/IEC 27553-1 on the security requirements for authentication using biometrics on mobile
devices.
In addition to CBEFF, ISO/IEC JTC1 SC37 has developed several standards related to security in
biometrics. The first one is a Technical Report (ISO/IEC TR 29156) on performance requirements to
meet security and usability needs in applications using biometrics. Also, API-related standards, such as
Object Oriented BioAPI (ISO/IEC 30106 series) also provides requirements for securing biometric data.
But one of the most important series of standards related to security (from the point of view of ISO/IEC
JTC1 SC37), is the ISO/IEC 30107 series on biometric presentation attack detection (PAD), which has
been used by ISO/IEC JTC1 SC27 as a basis for the definition of ISO/IEC 19989-3. This series, currently
composed of four parts, provides specifications on how to detect those attacks at the presentation level
(e.g., spoofing samples or obfuscating attempts).
— Part 1 gives the framework, with the general definitions on the topic.
— Part 2 defines an interchangeable data format for enclosing PAD-related data, in case the PAD
decision has to be shared in between systems.
— Part 3 provides the methodology to evaluate PAD capabilities of a biometric system.
— Part 4 refines such methodology to be applied to mobile systems.
For an ICC, ISO/IEC JTC1 SC17 provides ISO/IEC 7816-4 specifying security architecture mainly for
protecting data in an ICC, secure messaging for protecting command/response and basic security
handling
...