ISO/IEC 24787:2010

INTERNATIONAL ISO/IEC
STANDARD 24787
First edition
2010-12-15
Information technology — Identification
cards — On-card biometric comparison
Technologies de l'information — Cartes d'identification — Comparaison
biométrique sur cartes
Reference number
©
ISO/IEC 2010
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved

Contents Page
Foreword .v
Introduction.vi
1 Scope.1
2 Conformance.1
3 Normative references.2
4 Terms and definitions .2
5 Abbreviated terms.4
6 Architecture of biometric matching using an ICC .5
6.1 General .5
6.2 Off-card comparison .5
6.3 On-card comparison (sensor-off-card) .6
6.4 Work-sharing on-card comparison.7
6.5 System-on-card comparison.8
7 General framework for on-card comparison applications .8
7.1 Data for on-card comparison .8
7.1.1 General .8
7.1.2 Biometric reference object handling.8
7.1.3 Configuration data for biometric verification .9
7.1.4 Shared interface for multiple applications.11
7.1.5 Retry counter management.15
7.2 Standard processes for on-card comparison .15
7.2.1 Application identifier (AID) for on-card biometric comparison .15
7.2.2 Read biometric reference data.15
7.2.3 Enrolment.15
7.2.4 Verification .16
7.2.5 Termination of on-card comparison application.16
7.2.6 Comparison process and result output .16
7.2.7 Security requirements and biometric reference management .16
7.2.8 Threshold management.17
8 Work-sharing.17
8.1 Runtime work-sharing mechanism using WSR protocol.17
8.2 Work-sharing management .18
8.2.1 General .18
8.2.2 Work-sharing procedure discovery.19
8.2.3 Work-sharing procedure operation .19
Annex A (normative) Common TLV-structure of the file control parameter .20
Annex B (normative) Security policies for on-card biometric comparison.21
B.1 Introduction.21
B.2 Common security policies (CSP) for on-card biometric comparison.22
B.3 Security policies (SP1) for global comparison configuration data .22
B.4 Security policies (SP2) for local comparison configuration data .23
Annex C (informative) Sample APDU for on-card comparison .24
Annex D (informative) Software shareable interface for biometrics comparison.27
D.1 General.27
D.2 Shareable Interface Mechanism.27
© ISO/IEC 2010 – All rights reserved iii

Annex E (informative) Recommendation for security mechanisms in on-card comparison . 29
E.1 General. 29
E.2 Mutual authentication. 29
E.3 Message integrity. 29
E.4 Confidentiality. 29
E.5 Prevention of replay attack using MAC with secret key. 30
Annex F (informative) Architecture for work-sharing on-card comparison. 31
F.1 General. 31
F.2 Work-sharing architecture for on-card comparison . 31
F.3 Types of work-sharing strategy used for on-card comparison . 32
F.3.1 General. 32
F.3.2 Pre-comparison computation. 32
F.3.3 Work-sharing at runtime . 32
F.4 Work-sharing computation protocol. 32
Annex G (informative) Examples of implementations of on-card biometric comparison
mechanisms . 34
G.1 Introduction. 34
G.2 Single Application, Homogeneous Usage .34
G.3 Single Application, Heterogeneous Usage . 35
G.4 Multiple Applications. 35
Annex H (informative) State diagram of a card performing a WSR session when needed . 37
Bibliography. 38

iv © ISO/IEC 2010 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
ISO/IEC 24787 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 17, Cards and personal identification.

© ISO/IEC 2010 – All rights reserved v

Introduction
On-card biometric comparison, also known as on-card matching in ISO/IEC 7816-11:2004, is one
privacy-enhanced solution employing integrated circuit cards (ICCs) and biometric technologies, and provides
a more secure biometric authentication in that the biometric comparison process is executed inside the ICC. In
contrast with off-card comparison (off-card matching), on-card comparison does not need the biometric
reference data in the ICC to be transferred to interface devices. Therefore, even if the ICC is lost or stolen, the
biometric reference data stored on the ICC cannot be copied and remains private.
ISO/IEC 7816-11 and ISO/IEC 19785-3 cover technologies concerning off-card comparison and simple
on-card comparison. Most robust biometric comparison processes using biometric samples acquired in the
“real” world require high computational intensity. In contrast, CPU performance and other resources available
on the ICC progress more slowly because requirements for low power consumption, small geometry of the
chip, demand of low-cost cards and so on are obstacles to their more rapid advancement. Biometric sensors
embedded onto the ICCs are still presenting technical challenges.
As a result of these circumstances, industry requires a new International Standard for on-card comparison
excluding off-card and system-on-card comparison. This International Standard specifies the requirements of
and provides recommendations for the following:
⎯ architectural description of on-card comparison processes;
⎯ architectural description of work-sharing on-card comparison process that can reduce the work-load on
the ICCs by pre-processing computation;
⎯ management of threshold values and other security issues for on-card comparison.
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
draw attention to the fact that it is claimed that compliance with this document may involve the use of a patent
concerning work-sharing given in Clause 8.
ISO and IEC take no position concerning the evidence, validity and scope of this patent right.
The holder of this patent right has assured the ISO and IEC that he/she is willing to negotiate licences under
reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect,
the statement of the holder of this patent right is registered with ISO and IEC. Information may be obtained
from:
Exploit Technologies Pte Ltd.,
30 Biopolis Street,
#09-02 Matrix,
Singapore 138671
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all
such patent rights.
vi © ISO/IEC 2010 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 24787:2010(E)

Information technology — Identification cards — On-card
biometric comparison
1 Scope
This International Standard establishes
⎯ requirements for performing comparisons of biometric samples and returning decisions on an integrated
circuit card, and
⎯ security policies for on-card biometric comparison
It also establishes commands and rules to permit pre-comparison computations to be done off-card.
This International Standard does not establish
⎯ requirements for off-card comparison implementations,
⎯ requirements for system-on-card implementations, or
⎯ modality-specific requirements for storage and comparison.
2 Conformance
An on-card comparison system claiming conformance to this International Standard shall conform to the
requirements of 7.1.2 to 7.1.5, 7.2.1 to 7.2.8, 8.1, and 8.2.2 to 8.2.3, as applicable.
A card conforming to this International Standard shall
1. Be personalized with two sets of data:
Biometric reference object handling data, as described in 7.1.2
Configuration data for biometric verification, as described in 7.1.3
2. Support a shared interface for ICCs with multiple applications, as described in 7.1.4
3. Support retry counter management, as described in 7.1.5
4. Comply with the requirements set forth in 7.2.1 and 7.2.8 for on-card comparison implementations
5. Comply with the requirements set forth in 8.1, 8.2.2. and 8.2.3 for work-sharing implementations.
Biometric authentication might coexist with other authentication mechanisms, such as PIN. The rules for such
coexistence shall comply with ISO/IEC 7816-4:2005.
The biometric data shall be organized and managed using either a file structure or data objects as per
ISO/IEC 7816-4.
© ISO/IEC 2010 – All rights reserved 1

a) If the biometric data is organized as a file structure then the system shall also be fully compliant with
the provisions in ISO/IEC 7816-11.
b) If the biometric data are organized and managed as data objects then the card shall comply with the
provisions in ISO/IEC 7816-4 for data object handling.
The encoding of biometric data objects shall comply with ISO/IEC 7816-11 and ISO/IEC 19785-3.
3 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 7816-4:2005, Identification cards — Integrated circuit cards — Part 4: Organization, security and
commands for interchange
ISO/IEC 7816-11:2004, Identification cards — Integrated circuit cards — Part 11: Personal verification through
biometric methods
ISO/IEC 19785-1, Information technology — Common Biometric Exchange Formats Framework — Part 1:
Data element specification
ISO/IEC 19785-3:2007, Information technology — Common Biometric Exchange Formats Framework —
Part 3: Patron format specifications
ISO/IEC 19794 (all parts), Information technology — Biometric data interchange formats
ISO/IEC 29794-1:2009, Information technology — Biometric sample quality — Part 1: Framework
4 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
4.1
auxiliary data
data that is dependent on biometric modality and related to the biometric reference but does not include the
biometric reference or a biometric sample
EXAMPLE Data such as orientation, scaling, etc.
4.2
biometric, adj.
of or having to do with biometrics
[SC37 SD2 Harmonised biometric vocabulary]
NOTE "biometric" is never used as a noun.
4.3
biometrics
automated recognition of individuals based on their behavioral and biological characteristics
[SC37 SD2 Harmonised biometric vocabulary]
2 © ISO/IEC 2010 – All rights reserved

4.4
biometric claim
claim that a biometric capture subject is or is not the bodily source of a specified or unspecified biometric
reference
[SC37 SD2 Harmonised biometric vocabulary]
4.5
biometric data
biometric sample or aggregations of biometric samples at any stage of processing, biometric reference,
biometric feature or biometric property
[SC37 SD2 Harmonised biometric vocabulary]
4.6
biometric data format
structure for representing biometric data
4.7
biometric Information template
descriptive information regarding the associated biometric data
[ISO/IEC 7816-11:2004]
4.8
biometric product identifier
unique identifier registered with the registration authority in accordance with ISO/IEC 19785-1
4.9
biometric property
descriptive attributes of the biometric data subject estimated or derived from the biometric sample by
automated means
[SC37 SD2 Harmonised biometric vocabulary]
4.10
biometric reference
one or more stored biometric samples, biometric templates or biometric models attributed to a biometric data
subject and used for comparison
[SC37 SD2 Harmonised biometric vocabulary]
4.11
biometric verification system
system that aims to perform the process of confirming a biometric claim
[SC37 SD2 Harmonised biometric vocabulary]
4.12
installation
writing of the required parameters into the non-volatile memory inside an integrated circuit card (ICC) by the
card OS executing the installation procedure after the application has been uploaded to the ICC
4.13
on-card comparison
performing comparison and decision making on an integrated circuit card where the biometric reference data
is retained on-card in order to enhance security and privacy
© ISO/IEC 2010 – All rights reserved 3

4.14
off-card comparison
biometric comparison performed outside the card by the biometric verification system against the biometric
reference data stored on the card
4.15
pre-comparison computation
computation procedure executed outside the ICC that requires the (open) on-card auxiliary data to compute
metadata that can be used to speed up the subsequent on-card biometric data comparison process
4.16
work-sharing
splitting the computational work load of the comparison process between the card and the biometric
interfacing device
NOTE Work-sharing on-card comparison is one type of on-card comparison.
4.17
system-on-card
complete biometric verification system on a card, including data acquisition, processing and comparison
NOTE System-on-card comparison is one type of on-card comparison.
4.18
zeroize data
electronically stored data that have been degaussed, erased, or over-written
[ANSI X9.17]
5 Abbreviated terms
AID application identifier
ADF application dedicated file
APDU application protocol data unit
AUT authenticate
BER basic encoding rules
BIT biometric information template
CRT control reference template
CPU central processing unit
DF dedicated file
DF.CIA dedicated file, cryptographic information application
EF elementary file
FCI file control information
FCP file control parameter
FMR false match rate
4 © ISO/IEC 2010 – All rights reserved

ICC integrated circuit card
MAC message authentication code
MSE manage security environment
RFU reserved for future use
SW1-SW2 status bytes
TLV tag length value
WSCP work-sharing computation protocol
WSR work-sharing request
6 Architecture of biometric matching using an ICC
6.1 General
The following subclauses details, for the purposes of illustration, four methods for allocating the biometric
matching functionality between an ISO/IEC 7816 conformant card and the biometric verification system. Only
6.3 and 6.4 are within the scope of this standard.
To perform enrolment, the biometric sample from the user is captured for biometric reference creation, then
the user's information are uploaded to the card. This does not apply to system-on-card comparison as
specified in 6.5.
6.2 Off-card comparison
Off-card comparison means the biometric verification is performed on the biometric verification system side.
The card acts as a storage device to store the biometric reference(s) of the user. Figure 1 provides a
schematic of the various process steps.
To perform verification, the biometric verification system will obtain access to the ICC and read the user's
biometric reference. The role of the biometric verification system is to capture the biometric sample and to
perform biometric verification. If the biometric verification is successful, the biometric verification system will
change its security status. This may include downloading further information from the card for a subsequent
transaction. If unsuccessful, further access will be denied.
Cryptography is usually used to mutually authenticate the card and the biometric verification system. To
protect the communication between the biometric verification system and the card, a secure channel should
be established prior to the transfer of any template or data.
EXAMPLE Consider a physical access system where the biometric reference and access code is stored on the ICC.
The biometric verification system reads the biometric reference from the card, and performs biometric verification. In case
of successful verification, it reads the access code from the card and sends it to the back end system that opens the door.
© ISO/IEC 2010 – All rights reserved 5

Data Image/Signal
Comparison Decision Authorization
Capture Processing
Reference Data
ICC
Figure 1 — General architecture for biometric authentication using off-card matching
6.3 On-card comparison (sensor-off-card)
On-card comparison means the biometric sample verification is performed in the card. The process is
schematically represented in Figure 2. The ICC CPU should have sufficient processing power to perform the
matching. The enrolment process is the same as or similar to that for off-card matching.
To perform on-card comparison, the biometric verification system captures the biometric sample and extracts
biometric data. The created biometric data is then uploaded to the card for verification. The verification
process is executed on-card. If the biometric verification is successful the card’s security state is updated and
an appropriate signal sent to the back-end system.
In order to protect the communication between the biometric verification system and the card, a secure and
trusted channel is recommended (using Secure Messaging according to ISO/IEC 7816 and mechanisms
defined by ISO/IEC 24761 for distributed comparison verification).
EXAMPLE Consider a card with the ability to create digital signatures using a key that never leaves the card. A
request sent to the card to initiate the creation of a digital signature receives a response message of security status error.
This indicates to the user that verification is required. The user presents the required biometric sample to the biometric
verification system for creation of biometric data, which is transmitted to the ICC. The ICC then compares the newly
captured biometric data with the stored biometric reference, and in case of successful comparison, ICC updates the
security status that subsequently allows the ICC to create digital signature upon receiving the corresponding APDU
commands.
6 © ISO/IEC 2010 – All rights reserved

Data Image/Signal
Comparison Decision Authorization
Capture Processing
Reference Data
ICC
Figure 2 — General architecture for biometric authentication using on-card matching
6.4 Work-sharing on-card comparison
Work-sharing on-card comparison is similar to on-card comparison except for the comparison procedure. The
process is schematically represented in Figure 3. This type of comparison is designed for an ICC that does
not have sufficient processing capability to execute the biometric data comparison. In this case, certain
activities that are computationally intensive, for example, a mathematical transformation, are sent to the
biometric verification system to perform the calculation. The result of the computation is sent back to the ICC
so that the final determination of the matching score is calculated on the card. During the pre-comparison
calculation, communication takes place between the card and the biometric verification system. A secure and
trusted channel is used to protect the communication between the terminal and the card unless the need for
such protection is explicitly not required for a particular operational environment. The final comparison shall be
performed in the card. A detailed description of the work-sharing architecture is given in Annex D.

Figure 3 — General architecture for biometric authentication using work-sharing
© ISO/IEC 2010 – All rights reserved 7

NOTE Work-Sharing on-card comparison should only be considered when, with the biometric modality used, the
performances of the on-card comparison process are not good enough with regards the required transaction time for a
given application.
6.5 System-on-card comparison
System-on-card comparison means the whole biometric sample verification process is performed on the card.
The process is schematically represented in Figure 4. To perform sensor-on-card comparison, a sensor that is
built into the card captures the biometric sample and extracts biometric data. The created biometric data is
then used for verification. The verification process is executed on-card. The card’s security state is updated
once the card finishes the verification. No biometric sample or reference data is transferred to or from the card.

Figure 4 — General architecture for biometric authentication using system-on-card matching
7 General framework for on-card comparison applications
7.1 Data for on-card comparison
7.1.1 General
Subclauses 7.1.2 to 7.1.5 specify the following features:
1) Biometric reference object handling
2) Configuration data for biometric verification
3) Shared interface for multiple applications
4) Retry counter management
7.1.2 Biometric reference object handling
For reason of biometric reference interoperability, on-card comparison shall use the biometric data format as
defined in the relevant part of ISO/IEC 19794 series. An example is provided in Annex C.
8 © ISO/IEC 2010 – All rights reserved

Unless the need for biometric reference interoperability is explicitly not required for a particular operational
environment, then biometric data formats, as defined in the relevant part of the ISO/IEC 19794 series shall be
used.
NOTE Compact card formats as described in the relevant parts of ISO/IEC 19794 are recommended.
7.1.3 Configuration data for biometric verification
7.1.3.1 Data objects for configuration data
The configuration data for biometric verification consists of a set of data objects described in Table 1.
Retrieval of configuration data shall be subject to the access rules associated with the logical data structures
that store this information. If configuration data is available, it shall be stored into the BIT (ISO/IEC 7816-11).
This configuration data shall be coded when present, within the 'B1' tag of BIT (see ISO/IEC 7816-11:2004),
as shown in Table 1.
Table 1: Data objects for configuration data elements
Tag Length Valid values Description
‘80’ ‘01’ to Maximum size of biometric verification data
‘03’
'81’ ‘01’ to Maximum size of the biometric reference data
‘03’
‘82’ 1 '00' – 'FF' Supported number of biometric templates ('00' – no information
given)
‘83’ 1 '00': No re- Flag indicating the possibility of re-enrolment
enrolment possible
‘01’: Re-enrolment
possible
Other values: RFU
‘85’ Var As defined in Minimum verification data quality supported as defined in the
ISO/IEC 29794-1 relevant parts of the ISO/IEC 19794 and ISO/IEC 29794 series
of standards.
‘86’ 1 Initial value of the retry counter, indicating the supported
maximum number of permitted verification attempts
‘87’ Var Internal quality restrictions for performing the comparison
'8F' Var Proprietary data
‘90’ Var see Table 5 Types of biometric authentication and, if applicable,
performance of the card
‘A4’ 2 As defined by the Reserve for future use, Algorithm ID as defined by SC 37
registration
authority described
in ISO/IEC 19785-2
NOTE The encoding of other configuration parameters such as:
ƒ required security status to perform biometric verification;
ƒ required security status to perform biometric enrolment;
ƒ the security status set after positive verification
is out of the scope of this standard.
© ISO/IEC 2010 – All rights reserved 9

7.1.3.2 Biometric comparison algorithm parameters
Prior to biometric verification, a set of biometric comparison parameters should be read from the card.
Tables 2 and 3 define biometric comparison algorithm parameters in the BIT for on-card comparison
(tag ‘91’/’B1’ in ISO/IEC 19785-3:2007, Table 11.1), where primitive parameters are headed by tag ‘91’, and
constructed parameters are headed by tag ‘B1’ and include total length.
Table 2: Data objects for biometric comparison algorithm parameters
Tag Length Valid values Description
‘81’ * * Minimum and maximum length of biometric data as defined in the relevant part
of the ISO/IEC 19794 series of standards.
‘82’ * * Ordering, if applicable, of the features in the biometric data as defined in the
relevant part of the ISO/IEC 19794 series of standards.
‘83’ * * Biometric data handling information as defined in the relevant part of the
ISO/IEC 19794 series of standards.
‘84’ * * Alignment information as defined in the relevant part of the ISO/IEC 19794
series of standards.
‘85’ ** ** Minimum verification data quality supported (See Table 1)
‘90’ 1 see Table 5 Authentication type and algorithm strength
‘91’ 2 ‘0001’ – ‘FFFF’
Maximum response time in milli-seconds

NOTE 1 “*” denotes that this variable is defined in the relevant part of ISO/IEC 19794 series of standards.
NOTE 2 “**” denotes that this variable is defined in the relevant parts of the ISO/IEC 19794 and ISO/IEC 29794 series
of standards.
On-card comparison may require access rules to be fulfilled, including any security channel to protect the
transmission of APDU Commands and Responses, required for the completion of the process. The Data Field
of these APDU convey biometric related data to/out of the card shall be encoded as specified in this standard.
The access rules and the secure messaging used to protect APDUs shall comply with ISO/IEC 7816-4.

A card performing a time-consuming operation has to support proper waiting time extensions according to ISO/IEC 7816-3.
10 © ISO/IEC 2010 – All rights reserved

Table 3: Authentication type and discriminative power
b7 b6 b5 b4 b3 b2 b1 b0 Meaning
x x Authentication type
0 0 Comparison on-card
0 1 Work sharing comparison on-card
1 0 System-on-card
1 1 RFU
x x x  FMR claimed
0 0 0  No indication given
0 0 1  FMR grade 1 (largest)
0 1 0  FMR grade 2
0 1 1  FMR grade 3
1 0 0  FMR grade 4
1 0 1  FMR grade 5
1 1 0  FMR grade 6 (smallest)
1 1 1  RFU
x x x   RFU
A manufacturer shall declare the FMR value for their stated grading. Table 4 is an example of a FMR grading
scale.
Table 4: Example for FMR grading
FMR grade 1 FMR < 0.1
FMR grade 2 FMR < 0.01
FMR grade 3 FMR < 0.001
FMR grade 4 FMR < 0.0001
FMR grade 5 FMR < 0.00001
FMR grade 6 FMR < 0.000001
7.1.3.3 Biometric product identifier
Biometric product identifier shall be an integer within the range 1 to 65535 and shall be registered with the
registration authority in accordance with ISO/IEC 19785-1.
7.1.4 Shared interface for multiple applications
7.1.4.1 General
A possible requirement in an interoperable on-card comparison system is to use one single biometric
reference, for example, a minutiae template, in different applications using different configuration data. This
requirement is implemented with the use of access rules references and data elements as defined in
ISO/IEC 7816 and other biometrics-related standards for sharing information among independent applications.

This value is provided to enable the system designer to set different comparison levels for different applications with the specific on-card
comparison product.
© ISO/IEC 2010 – All rights reserved 11

7.1.4.1.1 Comparison information
A biometric on-card comparison system might require additional parameters, for example:
⎯ Pointer to the biometric reference
⎯ Comparison parameters, for example:
⎯ Template format
⎯ Algorithm to be used
⎯ Threshold parameters
The maximal score of the comparison can be determined or the comparison return can return positive result
as soon as the threshold has been passed
There is a 1-to-1 relation between these parameters and the key numbers which are defined in Annex A.
Therefore it is possible to attach the parameters to the key number.
7.1.4.2 File control parameter
The file control parameter (FCP) as contained in Tables A.1 to A.3, according to ISO/IEC 7816-4, shall be
required for every application dedicated file (ADF), dedicated file (DF) or elementary file (EF) in the card.
Depending on the command parameters, the FCP shall be returned after a successful SELECT APDU. The
FCP shall include access rule references according to 7.1.4.3. The tables in annex A summarize the common
TLV-structure of the FCI for a DF or EF.
7.1.4.3 Access rules
An access rule shall determine which security conditions (SC) have to be met in order to enable the access to
protected resources of the card for a specific access mode. The “NEVER” access rule shall be associated with
reading operations dealing with the biometric reference. For cards compliant with this standard, access rules
shall be encoded according to ISO/IEC 7816-4 by associating security conditions to access modes for the
card logical data structures to be protected. Once these security conditions are met, the external application
will obtain the security status required for the card to consider access to the protected data structure for the
associated access mode.
NOTE The “NEVER” access rule is defined in ISO/IEC 7816-4:2005, Table 20 and 23.
When encoding access rules in a card compliant with this standard the following applies:
Access rules may be associated with any ADF, DF, and EF as well as with protected Data Objects.
For the on-card biometric comparison application, the FCP associated with the ADF storing the application
may encode the access rules to perform the on-card biometric comparison.
For any other application resident in the card, access rules may contain a reference to an authentication
control reference template (CRT AUT) storing the data object biometric information template “7F60” as per
ISO/IEC 7816-11.
If required, the retrieval of the biometric information template (BIT) shall be protected using secure messaging
templates according to ISO/IEC 7816-11.
NOTE “Access rules” are defined in ISO/IEC 7816-4.
12 © ISO/IEC 2010 – All rights reserved

7.1.4.4 Double indirection
Double indirection is an optional functionality that a card compliant with this standard may offer only when it
does not support any high security application according to 7.2.8 and Annex B requirements. Double
indirection refers to the ability to proceed to an on-card biometric comparison using different configurations, as
set down by the corresponding different access rules.
ISO/IEC 7816-4 offers different possibilities for the specification of the access rules that may apply for the
interoperable implementation of the double indirection functionality. Thus, access rule encodes (in either
compact or expanded format as per ISO/IEC 7816-4) the relationships between the access modes for those
commands referring to a biometric reference and the required security conditions to be fulfilled. According to
ISO/IEC 7816-4 these security conditions may refer to an application security environment with an
authentication control reference template. This mechanism enables different applications to specify different
access rules for biometrics verification operations with the same biometrics reference.

Figure 5 — Example of sharing references and biometric references
7.1.4.5 Usage of security environment
The key number used in MSE SET determines
⎯ Reference template
⎯ Security level
In ISO/IEC 7816-4:2005 a usage qualifier for biometric authentication is defined (‘04’, see Table 35 of that
standard).
© ISO/IEC 2010 – All rights reserved 13

The sequence for performing a biometric comparison is given in ISO/IEC 7816-11:2004, Annex B (see
Figure 6, reproduced from Figure B.6 of that standard).

Figure 6 — Commands for verification without secure messaging (example)
However, ISO/IEC 7816-11 does not specify how the biometric reference and comparison parameters are
stored internally because the complete enrolment process is not specified in that document.
In ISO/IEC 7816-4:2005 the following data objects are defined in Table 33:
⎯ '80' Cryptographic mechanism reference
⎯ File and key references
⎯ '81' — File reference (same encoding as ISO/IEC 7816-4:2005, 5.3.1.2)
⎯ '82' — DF name (see ISO/IEC 7816-4:2005, 5.3.1.1)
⎯ ’83' — Reference of a secret key (for direct use)
⎯ Reference of a public key
⎯ Qualifier of reference data
⎯ '84' — Reference for computing a session key
⎯ Reference of a private key
⎯ 'A3' Key usage template (see ISO/IEC 7816-4:2005)
⎯ Initial data reference: not applicable
14 © ISO/IEC 2010 – All rights reserved

7.1.5 Retry counter management
Retry counter management defines the policies for managing the retry counter mechanisms. The policies are:
a) The cardholder of biometric comparison process shall be under the control of a retry counter which
determines if the verification process may continue to be used with a given biometric reference.
b) An initial value of the retry counter shall be associated to the on-card biometric reference.
c) This association may be encoded using ISO/IEC 7816-15 sub-class attributes assigned to a
Biometric Data Info Object as defined in ISO/IEC 7816-15.
d) If the verification fails, the retry counter shall be decremented by one and an error status that
contains the remaining attempts shall be returned by the application.
e) The number of allowed retries may be encoded in the status bytes SW1-SW2= “63CX” (where X is
the remaining number) of a response to a VERIFY command where the data field is absent
according to ISO/IEC 7816-4.
f) A successful verification of the biometrics reference shall reset the associated retry counter to its
initial value.
7.2 Standard processes for on-card comparison
7.2.1 Application identifier (AID) for on-card biometric comparison
The card shall support an AID. When the on-card biometric comparison is implemented as an independent
application, it shall be identified by an AID according to ISO/IEC 7816-4. The on-card comparison application
may be selected by this AID ‘E8 28 81 C1 53 00’.
NOTE The AID is derived from the standard's object identifier according to ISO/IEC 7816-4, 8.2.1.2 and Annex A.
7.2.2 Read biometric reference data
In an on-card comparison application, read access to the biometric reference to be used for comparison shall
not be granted. Auxiliary data (open) related to the biometric reference may be read according to the needs of
the application.
7.2.3 Enrolment
Enrolment is the process through which a biometric reference is created and stored. In on-card comparison
systems, this process shall involve:
1) transmitting one or more biometric templates to the ICC and storing them there,
2) transmitting and storing any other par
...