ISO/IEC 7816-11:2004

INTERNATIONAL ISO/IEC
STANDARD 7816-11
First edition
2004-04-01
Identification cards — Integrated circuit
cards —
Part 11:
Personal verification through biometric
methods
Cartes d'identification — Cartes à circuit intégré —
Partie 11: Vérification personnelle par méthodes biométriques

Reference number
©
ISO/IEC 2004
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2004 – All rights reserved

Contents Page
Foreword. iv
Introduction . v
1 Scope. 1
2 Normative references . 1
3 Terms and definitions. 1
4 Abbreviated terms. 2
5 Commands for biometric verification processes . 2
5.1 Commands to retrieve biometric information. 2
5.2 Command for a static biometric verification process. 3
5.3 Commands for a dynamic biometric verification process. 3
6 Data elements. 3
6.1 Biometric information. 3
6.2 Biometric data . 5
6.3 Verification requirement information. 6
Annex A (informative) Biometric verification process. 8
Annex B (informative) Examples for enrollment and verification. 13
Annex C (informative) Biometric information data objects. 19
Annex D (informative) Usage of Secure Messaging Templates. 29
Bibliography . 33

© ISO/IEC 2004 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 7816-11 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 17, Cards and personal identification.
ISO/IEC 7816 consists of the following parts, under the general title Identification cards — Integrated circuit
cards:
 Part 1: Cards with contacts — Physical characteristics
 Part 2: Cards with contacts — Dimensions and location of the contacts
 Part 3: Cards with contacts — Electrical interface and transmission protocols
 Part 4: Organization, security and commands for interchange
 Part 5: Registration of application providers
 Part 6: Interindustry data elements for interchange
 Part 7: Interindustry Commands for Structured Card Query Language (SCQL)
 Part 8: Commands for security operations
 Part 9: Commands for card management
 Part 10: Cards with contacts — Electronic signals and answer to reset for synchronous cards
 Part 11: Personal verification through biometric methods
 Part 15: Cryptographic information application

iv © ISO/IEC 2004 – All rights reserved

Introduction
This part of ISO/IEC 7816 is one of a series of standards describing the parameters for integrated circuit(s)
cards with contacts and the use of such cards for international interchange.
This part of ISO/IEC 7816 may also apply to contactless cards.

© ISO/IEC 2004 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 7816-11:2004(E)

Identification cards — Integrated circuit cards with contacts —
Part 11:
Personal verification through biometric methods
1 Scope
This part of ISO/IEC 7816 specifies security related interindustry commands to be used for personal
verification with biometric methods in integrated circuit(s) cards. It also defines the data structure and data
access methods for use of the card as a carrier of the biometric reference data and/or as the device to
perform the verification of a personal biometric (on-card matching). Identification of persons using biometric
methods is outside the scope of this standard.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 7816-4:2003, Identification cards — Integrated circuit cards with contacts — Part 4: Organization,
security and commands for interchange
ISO/IEC CD 19785:2003, Information technology — Common Biometric Exchange Framework Format
(CBEFF)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
biometric data
data encoding a feature or features used in biometric verification
3.2
biometric information
information needed by the outside world to construct the verification data
3.3
biometric reference data
data stored on the card for the purpose of comparison with the biometric verification data
3.4
biometric verification
process of verifying by a one-to-one comparison of the biometric verification data against biometric reference
data
3.5
biometric verification data
data acquired during a verification process for the comparison with the biometric reference data
© ISO/IEC 2004 – All rights reserved 1

3.6
template
as defined in ISO/IEC 7816-4
WARNING — The term “template” means the value field of a constructed data object. It should not be
confused with a processed biometric data sample.
4 Abbreviated terms
For the purpose of this part of ISO/IEC 7816, the following abbreviations apply.
AID Application Identifier
AT Authentication Template
BER Basic Encoding Rules
BIT Biometric Information Template
BD Biometric Data
BDP BD in proprietary format
BDS BD in standardized format
BDT Biometric Data Template
CCT Cryptographic Checksum Template
CRT Control Reference Template
CT Confidentiality Template
DE Data Element
DF Dedicated File
DO Data Object
DST Digital Signature Template
EFID Elementary File ID
FCI File Control Information
ID Identifier
L Length
OID Object Identifier
RD Reference Data
SE Security Environment
SM Secure Messaging
TLV Tag-Length-Value
UQ Usage Qualifier
VIDO Verification requirement Information Data Object
VIT Verification requirement Information Template
5 Commands for biometric verification processes
Commands for retrieval, verification and authentication defined in ISO/IEC 7816-4 are used for biometric
verification. Biometric data (e.g. face features, ear shape, fingerprint, speech pattern, voice print, key stroke)
may need protection against replay or presentation of verification data derived from original biometric data
(e.g. a fingerprint, a face photo). A method to prevent this kind of attack is to send the verification data to the
card with a cryptographic checksum or a digital signature applying secure messaging as defined in
ISO/IEC 7816-4. Likewise, secure messaging may be used to guarantee the authenticity of the biometric data
retrieved from the card.
5.1 Commands to retrieve biometric information
The commands as specified in ISO/IEC 7816-4 in the clause related to data referencing shall be used for the
retrieval of biometric information.
2 © ISO/IEC 2004 – All rights reserved

5.2 Command for a static biometric verification process
The command to be used for a static verification process (see Annex A) is the VERIFY command as specified
in ISO/IEC 7816-4. The information to be conveyed is
 biometric reference data identifier (i.e. the qualifier of the reference data)
 biometric verification data.
The biometric verification data may be encoded as BER-TLV data objects (see Table 2). The CLA byte may
indicate that the command data field is BER-TLV coded (see ISO/IEC 7816-4).
For combined biometric schemes, command chaining as defined in ISO/IEC 7816-8 may be used.
5.3 Commands for a dynamic biometric verification process
To get a challenge, to which a user response is required (see Annex A), the GET CHALLENGE command
shall be used.
The type of challenge in a biometric verification process, e.g. a phrase for voiceprint or a phrase for keystroke,
depends on the biometric algorithm, which can be specified in P1 of the GET CHALLENGE command (see
ISO/IEC 7816-4). The respective algorithm may be selected alternatively by using the MANAGE SECURITY
ENVIRONMENT command (e.g. SET option with CRT AT and DO usage qualifier and DO algorithm id in the
data field).
After a successful GET CHALLENGE command, an EXTERNAL AUTHENTICATE command is sent to the
card. The command data field conveys the relevant biometric verification data. For coding of the biometric
verification data, the same principles apply as for the VERIFY command, see 5.1.
6 Data elements
6.1 Biometric information
The Biometric Information Template (BIT) provides descriptive information regarding the associated biometric
data. It is provided by the card in response to a retrieval command prior to a verification process. Table 1
defines biometric information DOs.
© ISO/IEC 2004 – All rights reserved 3

Table 1 — Biometric information DOs
Tag L Value Presence
‘7F60’ Var. Biometric Information Template (BIT)
Tag L Value
‘80’ 1 Algorithm reference for use in the VERIFY / EXT. AUTHENTICATE / Optional
MANAGE SE command
’83’ 1 Reference data qualifier for use in the VERIFY / EXT. AUTH. / Optional
MANAGE SE command
‘A0’ Var. Biometric information DOs defined in this standard Optional
Tag allocation authority (see ISO/IEC 7816-6): One of
these DOs
‘06’ Var. - Object identifier (OID)
is
’41’ Var. - Country authority (see ISO/IEC 7816-4)
mandatory,
’42’ Var. - Issuer (see ISO/IEC 7816-4)
if ‘A1’ is
’4F’ Var. - Application Identifier (AID), identifies the application and its
present
provider
(see ISO/IEC 7816-4)
The default tag allocation authority is ISO/IEC JTC1/SC37.
‘A1’ Var. Biometric information DOs specified by the tag allocation authority Mandatory,
(mandatory indication, see above). if ‘A0’ is not
See also example in Annex C present
Tag L Value
DOs defined by the tag allocation authority
‘8x’/ ‘Ax’ Var. . (primitive / constructed) DO
‘9x’/ ’Bx’ Var. . (primitive / constructed) dependent

NOTE In case the card does not perform the verification process, the Biometric Information Template may also
contain the biometric reference data (see Table 3) and possibly discretionary data (tag ‘53’ or ‘73’) e.g. for data to be
delivered to a service system, if verification is positive (see Annex C).
If several BITs are present within the same application, then they shall be grouped as shown in Table 2.
Table 2 — BIT group template
Tag L Value Presence
‘7F61’ Var. BIT group template
Tag L Value
'02' Var. Number of BITs in the group Mandatory
’7F60’ Var. BIT 1 Conditional
...
‘7F60’ Var. BIT n Conditional
A BIT group template can be recovered e.g. by
 a GET DATA command
 reading out of a file in the corresponding DF, EFID found in the FCI, or
 reading an SE template (see ISO/IEC 7816-4), in which the BIT group template is stored.
4 © ISO/IEC 2004 – All rights reserved

6.2 Biometric data
Biometric data (biometric verification data, biometric reference data) may be presented
 as a concatenation of data elements,
 within a biometric data DO as defined in ISO/IEC 7816-6, or
 as concatenation of DOs within a biometric data template, see Table 3.
Table 3 — Biometric data DOs
Tag L Value Presence
‘5F2E’ Var. Biometric data
‘7F2E’ Var. Biometric data template
Tag L Value
‘5F2E’ Var. Biometric data At least one of
these DOs is
‘81’ / Var. Biometric data with standardised format (primitive /
present, if the
‘A1’ constructed)
template is
used
‘82’ / Var. Biometric data with proprietary format (primitive /
‘A2’ constructed)
As shown in Table 3, biometric data may be split up in a part with standard format and in a part with
proprietary format, whereby the part with the proprietary format may be used, e.g. for achieving a better
performance. The usage of biometric data with standardized and proprietary formats is shown in Figure 1.
Structure and coding of biometric data are biometric type (e.g. facial features, fingerprint) dependent and out
of scope of this standard.
© ISO/IEC 2004 – All rights reserved 5

A, A, B = AlB = Algorigoritthmhm t tyyppee
IFIFDD
VERIVERIFFY* Y*
BD  BD  = Bio= Biommeettricric Data Data
CarCardd
wiwitthh
BDP =BDP = BD in BD in propproprietarietarryy
wwiith mth maatctchhiing ng
ffeatureature ee exxtrtracactiontion
foforrmmaatt
aallgorgoriitthmhm AA
alalgorgorithmithm AA
BDS =BDS = BD in BD in ssttaandandardisrdiseded
foforrmmaatt
BDTBDT = = BD BD TTeemmppllaatete
* =* = VVereriifficicatiatioon data:n data: TT,, L = L = TTaagg,, Le Lengthngth
BBDD i inn ssttan-an- BBDD i inn pr propoprriiee--
LL LL LL
T.T.BDBDTT T.T.BDBDSS T.T.BDBDPP
dardardidised fsed foorrmmatat tatarryy ffoorrmmatat ofof A  A
IFDIFD
VERIVERIFFY* Y*
TThhe me maatctchihing ang allgogorithrithmmss
CarCardd
wiwitthh
A A andand B be B belonlongg toto the the
wwiith mth maatctchhiingng
ffeatureaturee e exxtrtractiactionon
ssaammee b biioommetrietric tc tyypepe, bu, but t
aallgorgoriitthmhm BB
alalggoorriithmthm AA
ususee ddiiffffeerreentnt p prropoprriietetaarryy
bbiiomometrietric dc daatata e.ge.g. f foor r
ppeerfrformormaannccee upg upgraderade. .
HHoowweevveer, bor, both ath arre ce capaapableble
* =* = VVereriifficicatiatioon data:n data:
ooff co commpputiuting tng the verihe veriffiicaca--
BD iBD inn stan-stan-
ttiionon resresuult usilt using onlng onlyy ththe e
LL LL
T.T.BDBDTT T.T.BDBDSS
BD iBD inn th thee sstantandarddardiisesed d
ddaardrdiseisedd f foormarmatt
foforrmmaatt.
Figure 1 — Use of biometric data with standardized and proprietary structure
6.3 Verification requirement information
6.3.1 Purpose
The current verification requirement is provided either by
 the verification requirement information data object VIDO (tag ‘96’, short format), or
 the verification requirement information template VIT (tag ‘A6’, long format).
VIDO or VIT, if present, is part of the file control parameter information of the respective DF or stored in a FCI
extension file as defined in ISO/IEC 7816-4. VIDO and VIT contain information, which indicate whether the
reference data for user verification (i.e. passwords and/or biometric data) are
 enabled or disabled and
 usable or unusable.
NOTE Usually the enabled/disabled flag is under control of the cardholder, the usable/unusable flag under control of
the application provider.
6.3.2 VIDO – the short format
The first byte of the VIDO (see Table 4) indicates by bit map which keys (i.e. reference data for user
verification) are enabled (bit set to 1) or disabled (bit set to 0). The second byte indicates by bit map which
keys are usable (bit set to 1) or unusable (bit set to 0). Each of the following bytes are key references. The
first key reference corresponds to bit b8 of the bit maps, the second key reference to bit b7, and so on. The
number of key references is given implicitly by the length of the VIDO, e.g. when L is less than or equal to 10,
the number of key references is L-2.
6 © ISO/IEC 2004 – All rights reserved

Table 4 — VIDO structure
VIDO L Enabled / Usable / Key Key .
Tag disabled unusable Ref. Ref.
Flags Flags
‘96’ Var. ‘xx’ ‘xx’ ‘xx’ ‘xx’ .
6.3.3 VIT – the long format
The VIT presents the information in long format, whereby additional information can be provided in the usage
qualifier DO. The DOs, which may occur in a VIT, are shown in Table 5.
Table 5 — Verification requirement information template (VIT) and embedded DOs
Tag L Value
‘A6’ Var. Verification requirement information template
Tag L Value
’90’ 1 Enabled/disabled flags (Flag DO)
’95’ 1 Usage qualifier as defined in ISO/IEC 7816-4
’83’ 1 Key reference
The enabled/disabled flags DO is mandatory. At least one key reference DO shall be present. Each key
reference DO may be preceded by an associated usage qualifier DO. If no usage qualifier is associated to a
key, then the usage is implicitly known. In this context, a usage qualifier set to zero means, the associated key
shall not be used.
NOTE It is not necessary to introduce a VIT with an application tag to be retrieved by GET DATA, because the FCI or
the FCI extension file can be read always.
© ISO/IEC 2004 – All rights reserved 7

Annex A
(informative)
Biometric verification process
A.1 Abbreviations
ICC  Integrated Circuit(s) Card
IFD Interface Device
OID Object Identifier
SM Secure Messaging
A.2 Enrollment process and verification process
The general (simplified) scheme for an enrollment process is shown in Figure A.1.
EEnnrollmerollmenntt
BiBiomomeettriricc
rereffeerenrencce e
RaRaw w FeFeatureature
datadata
dadattaa datdata a
SenSen-- DaDatata FeFeFeatureatureature  EnEnEnrrrooollllllmmmeeennnttt DDaata sta sttorinoring g
sosorr aaccququisiisittioion n exexextttrrractiactiaction on on procprocprocessessessiiinnnggg  inin t thhee ca carrdd
IFIFD (enrollD (enrollmmeennt st syyssttemem)) IICC CC

Figure A.1 — General scheme of an enrollment process
The sensor and data acquisition module are considered to be one logical unit although they may be separate
modules. The raw data is usually processed outside the card due to the considerable size of the raw data.
During this processing, the biometric features are extracted and formatted for later use. In the enrollment
processing or at a later stage, the biometric reference data possibly together with additional information are
sent in a secure way to the card for storage and subsequent use.
In case of on-card matching, these data cannot be retrieved after storing. In case of off-card matching, the
biometric reference data can be retrieved as part of the BIT. The biometric reference data or possibly the
whole BIT may be secured, e.g. by a digital signature. Also the access to the BIT may be restricted, e.g.
access possible only after successful performance of an authentication procedure.
Biometric reference data may be stored in the card
 during a card personalization phase, or
 after issuing the card to the cardholder.
The storing of reference data after issuing of the card to the cardholder or when delivering the card to the
cardholder is addressed in Annex B.
Figure A.2 shows a simplified scheme for a verification covering the following configurations:
 with the biometric reference data and possibly parameters stored in the card
 with matching and decision processing in the card
 with feature extraction, formatting, matching and decision processing in the card
 with a sensor on the card and performance of the whole verification process in the card.
8 © ISO/IEC 2004 – All rights reserved

Other configurations are possible.
VVeeririfificacatitionon
SSSeeensnsnsororor
ICC wICC wiithth se sensnsoror oonn th thee ccardard
andand al alll ffuunnccttioionsns andand da datata
VeriVeriffiiccaatition on
DaDaDatttaaa
ffoor vr veeririffiiccaatitionon
resresuultlt
RaRaww
acacacquququisiisiisitttioioion n n
dadattaa
ICC wICC wiithth
-- ffeeaaturturee ex extratracctitionon
-- fforormatmatttiingng
FFeeatatuurre ee exx--
-m-maattcchhiinngg
ttrractactiionon anand d
BBiiometometrriicc
-- ddeecciissiion pon prrococesessisingng
ffoormrmattiattingng
veriveriffiiccaatition on
-- bbioiommeettrricic rreeffeerreennccee da dattaa
datdataa
-- ddececisisioionn pa parraametmeteerrss
ICC wICC wiitthh
-m-maattcchhiinngg
DDDeeecicicisisisiononon
-- ddeeccisisioionn pprroocecessssiningg
MatMatMatccchhhiiingngng
procprocprocesesessisising ng ng
-- bbiomiomeetritricc refref. d daatata
-- ddeciecissiion paraon parammeettersers
ICC wICC wiitthh
BiBiBiomomometrietrietriccc DeDeDecicicisisision on on
-- bbiomiomeettrricic refref. dat dataa
refrefrefeeerenrenrenccce e e papapara-ra-ra-
-- ddececisiisioonn par paramameettersers
datadatadata  mememettteeerrrsss

Figure A.2 — General scheme of a verification process
NOTE Decision parameters are usually bound to the decision processing. When the card provides the biometric
reference data (possibly cryptographically protected) for outside matching (lowest case in Figure A.2), decision
parameters may only be present and retrievable (in a secure way), if they contain user specific components.
A.3 Classification of biometric verification methods
Taking into account the different message exchanges between the card and the IFD, the following
classification is used:
 Static biometric verification method:
a biometric verification method which requires the presentation of a physiological (i.e. static) feature of a
person to be authenticated (see type A) or performance of an enrolled, pre-determined action (see type B).
 Dynamic biometric verification method:
a biometric verification method which requires a dynamic action from the person to be authenticated (i.e.
a user response to a biometric challenge, see type B).
Examples of biometric type A:
Ear shape
Facial features
Finger geometry
Fingerprint
Hand geometry
Iris
Palm geometry
Retina
Vein pattern
© ISO/IEC 2004 – All rights reserved 9

NOTE These biometric types can only be used for static verification.
Examples of biometric type B:
Keystroke dynamics
Lip movements
Signature image
Speech pattern (voiceprint)
Write dynamics (signature dynamics)
NOTE These biometric types may be used either for static verification or dynamic verification depending on the
usage of the respective type.
The main characteristics of biometric type A features are
 unique, not modifiable
 selectable, if several instances of the same kind exist (e.g. thumb, pointer finger)
 public, if the respective feature (e.g. face, ear, fingerprint) can be captured or measured by everybody, i.e.
the respective biometric verification data have to be presented to the card in an authentic way (see
Annex B, Figure B.4).
The main characteristics of biometric type B features are
 unique, but modifiable
 challenge dependent, if dynamic verification is used.
The Figures A.3 and A.4 illustrate the differences between static and dynamic biometric verification at the card
interface in case of matching and decision processing on the card.
AcAcAcquiquiquisisisitiontiontion ofofof thththe e e
biombiombiometrietrietric verifc verifc verifiiicatcatcatiiiononon datadatadata
VEVERRIIFYFY
withwith b biioommeettrriicc veverriificficaattiioonn d daattaa
ICICCC
IFIFDD
VVeeririffiiccaatition reson resuulltt
MMMMaaaattttcccchihihihingngngng
anananand dd dd dd deeeecccciiiissssiiiioooonnnn
prprprprooooccccesesesesssss
Figure A.3 — Commands for static biometric verification
AcquAcquAcquisiisiisitttioioionnn ooofff ttthe he he
biobiobiommmetetetric vric vric veeeriririfffiiicacacationtiontion datdatdata a a
GGEETT CH CHALLENGE   ALLENGE
BBiiomometretriicc chal challleenge  nge
IFIFIFDDD
IICC CC
EXTEXT. A AUUTTHHENENTTIICACATTEE
wiwithth b biioommeettrriic c vveerriifificacatitioonn ddaatata
ccoorrrreespsponondidingng ttoo t thhee c chhaallllengengee
MMMMaaaattttcccchihihihingngngng
anananand decd decd decd deciiiissssiiiioooonnnn
VVeeririffiiccaatition reson resuult   lt
prprprprococococesesesesssss
Figure A.4 — Commands for dynamic biometric verification
10 © ISO/IEC 2004 – All rights reserved

A.4 Scenarios
The Figures A.5 and A.6 illustrate some scenarios relevant to biometric user verification.
ThThee r reessuulltt ooff
ththe bie biomomeettricric
AcAcquiquisitsitiionon ofof ththe e
ververiiffiicatcatiion on
bbiiomometrietric verifc verifiicaticationon datadata
prprococesesss mo modidi--
BiBiometrometriicc ffiies the es the ccaardrd
sseecucurriityty stastattusus. .
vveerifrifiiccaatitionon ddaata ta
IfIf alsalsoo itit
ICICCC
IFIFDD
mmodiodiffiieses the the IIFDFD
VVeeririffiiccaatition reson resuulltt
sseecucurriityty stastattusus, ,
MMMaaatttccchinghinghing
ththen ien itt sh shoulouldd bbee
ananand dd dd deeeccciiisiosiosionnn
prprototeecctteedd bby y
proproprocccesesessss
seseccuurree
mmeessssagaging.ing.
Figure A.5 — Scenario with matching and decision process inside the card

AAccqquuiissititioionn ooff tthehe
bibiomomeettrriic vc veerriiffiicatcatiionon datdata a
MatMatMatccchinghinghing andandand
BiBiomometetrriicc r reeffeerrencencee
decidecidecisssiiion processon processon process
datdataa ((optoptiioonalnal S SMM))
IICC CC
AAccess con-ccess con-
ddiittiions mons maayy
bbee at atttaached ched
IFDIFD
ttoo tthhee bi biomometetrriic c
rreeffeerrenceence datdata a
AAAcccqqquuuiiisssitititioioionnn ooofff ttthehehe
bibibiomomomeeetttrrriiic vc vc veeerrriiifffiiicatcatcatiiiononon datdatdata a a
IfIf th thee rreessuulltt ooff tthhee
BiBiomometetrriicc r reeffeerrencencee
MatMatMatMatcccchinghinghinghing andandandand bbiiomometetrriic vc veerriiffii--
datdataa ((optoptiioonalnal S SMM))
decidecidecidecissssiiiion processon processon processon process
cacattiion pron prooccess ess
IICC CC
mmodiodiffiies tes thhe e cacarrdd
VVeeririffiiccaattiioonn re resusulltt sesecurcuriittyy ststatatus,us,
tthen ihen itt shoul shouldd bbe e
pprrototectecteedd bbyy s see--
IFDIFD
cucurree m meessagissaging.ng.

Figure A.6 — Scenarios with matching and decision process outside the card
© ISO/IEC 2004 – All rights reserved 11

A.5 Retrieval of information relevant for the biometric verification process
The IFD may need information related to the verification process. The following list contains information items
which may be required by the IFD:
 biometric type (e.g. fingerprint, face features, .)
 biometric subtype, if appropriate (e.g. left pointer finger)
 format owner and format type of biometric data
 algorithm reference, if any, as used, e.g., in the MANAGE SECURITY ENVIRONMENT command
 biometric reference data identifier (qualifier of reference data in the VERIFY command or EXTERNAL
AUTHENTICATE command)
 discretionary data, if any.
12 © ISO/IEC 2004 – All rights reserved

Annex B
(informative)
Examples for enrollment and verification
B.1 Abbreviations
AID Application Identifier
AT Authentication Template
BIT Biometric Information Template
BT Biometric Type
CRT Control Reference Template
DO Data Object
DST Digital Signature Template
FCI File Control Information
FO Format Owner
FT Format Type
ID Identifier
IFD Interface Device
OID Object Identifier
RD Reference Data
SM Secure Messaging
TAT Tag allocation Authority Template
UQ Usage Qualifier
VIT Verification Requirement Information Template
|| Concatenation
B.2 Enrollment
For this example, it is assumed, that the card
 is totally personalized except the storing of the biometric reference data and the related Biometric
Information Template (this includes also the presence of a biometric record in a key file with the related
attributes for the biometric reference data, i.e. retry counter with initial value, resetting code with retry
counter and initial value, flags for enabling/disabling verification requirement and changeability, .)
 has password verification in addition to biometric verification.
With the CHANGE REFERENCE DATA command, the empty reference data are replaced by the user´s
reference data computed in the enrollment process. The execution of the CHANGE REFERENCE DATA
command has to be bound to security conditions, e.g. setting the required security status after successful
completion of a cryptographic based authentication procedure or a successfully presented password.
NOTE The security conditions for the CHANGE REFERENCE DATA command, after the enrollment has taken place,
may be different due to the security policy of the application provider (e.g. change of reference data is no longer allowed
after enrollment).
After the biometric reference data have been stored, the Biometric Information Template BIT has to be stored,
which is used by the IFD in a verification process in this example. The BIT is stored after all types and
subtypes of biometric reference have been enrolled.
Usually, an IFD (e.g. a PC, a public internet terminal or a cash terminal) does not know, whether the card
presented
 belongs to a user who applies biometrics
 has a biometric algorithm supported by the IFD
© ISO/IEC 2004 – All rights reserved 13

 which biometric type is used for which it should prompt
 which value the related key reference (i.e. the reference data qualifier) has
 which implementation specific matching algorithm parameters have to be observed (e.g. limitation of the
amount of minutiae to be sent in the verification data).
Therefore the Biometric Information Template BIT should provide information such as:
 the biometric reference data qualifier
 the OID of the tag allocation authority and indication of the format for the verification data
 the biometric type and possibly the biometric subtype enrolled (e.g. right thumb)
 further data objects, if any
 repetition of the respective DOs, if e.g. a second biometric type is enrolled.
Figure B.1 shows the commands which may be performed in this way in an enrollment process.
CoCommmmanandd // Res Resppoonnssee   Meaning Meaning
SettiSetting theng the
VERIFYVERIFY  ord>
SecSecuurirityty Sta Stattusus
ffoor sr sttorioring ng thethe
OKOK
bbiiometometrriic c
refrefeerencrence de daata ta
RReeplaplacciing tng thhee
CHCHAANNGE RDGE RD ememppttyy ref refeererencnce e ddaata ta
RReeffeerencrence De Daattaa> >
byby the enro the enrollelledd
biobiommetetricric ref refeererencnce  e
OKOK
datadata
SELECTSELECT  ID> SelSeleectctionion of of t the ehe elle-e-
mmeentantarryy ffiillee ffor sor sttorioring ng
tthhe Be Biiometometrriicc IInnfforor--
OK OK
matmatiionon TTeemplmplaattee
BITBIT (t (to beo be retri retrieeved ved
wwiitthh GGEET DT DAATATA))
StorinStoring thg the Bie Biomometricetric
UPDUPDAATE BINTE BINAARYRY >
IInnfoforrmmaattiioonn Te Temmppllaattee
OKOK
BITBIT
Figure B.1 — Commands for enrollment (example)
NOTE 1 There may be a need to protect the enrollment with secure messaging.
NOTE 2 For information storage and retrieval also other commands as described in ISO/IEC 7816-4 may be used. This
is also valid for the Figures B.4, B.6 and B.7.
14 © ISO/IEC 2004 – All rights reserved

Figure B.2 shows the BIT and its DOs.
T.T.BIT  BIT  LTLT.RD RD LL . . T.T.OIOIDD    LL . T.T.TATATT L T.L T.BTBT  L L . . T.T.FOFO    L L . . T.T.FTFT   L L .  .  . .
TTaag og off BBiioommetetriricc FoForrmmaatt FoForrmmaatt
ReReffee-- ObjObjeecctt TaTagg o off TTaagg BiBioommeettrriicc
InInffoorrmmaattioionn  ownowneerr   tytyppee
rerennccee iiddeenntitifiefierr AllAllooccaattiioonn TTyypepe e. e.g.g.
TeTempmpllaatete dadattaa ooff ta tagg AuAuththoorrityity fifinnggeerrpprrinint  t
((‘‘7F7F6060‘‘))
ququalialiffierier aallllooccaatitioonn  TeTempmpllaattee
auautthhoorriittyy
aass us useded ((‘‘AA11‘)‘)
inin P P22 ooff
VEVERIRIFFYY
Figure B.2 — Example of a Biometric Information Template (BIT), tags assigned by the specified Tag
Allocation Authority
NOTE The tags inside the template 'A1' are defined the denoted tag allocation authority.
B.3 Verification with a single biometric method
The verification process starts with the retrieval of the Biometric Information Template, e.g. by applying the
GET DATA command. If the IFD supports the required format for the biometric verification data as indicated in
the BIT and the user has presented the related biometric object, the verification data are computed and
delivered to the card by using the VERIFY command (see Figure B.3).
CoCommmmanand/d/ResRespponsonsee M Meeaanning ing
SELECTSELECT > ApApplicplicatiatioonn sselelectiection on
wwiitthh ap applipliccatiation on
OKOK
iidentdentififieierr ((AIDAID))
ReRettrriieevvaall o off th thee
GETGET D DAATTAA >
BiBiomomeettricric IInfnfoorrmmaatitionon
TeTemmppllaattee B BIIT.T.
BBiio.o. I Innffoorrmmatatiioon Tn Teemmppllaattee
VVeerriiffiicacattiionon ooff t thhe ue usserer
VERIFYVERIFY VeriVeriffiiccaatiotionn DataData>>
OKOK
Figure B.3 — Commands for verification without secure messaging (example)
NOTE If the Biometric Information Template is not present, it means in this example that the respective user does not
use biometrics.
If the biometric verification data are public (e.g. face, fingerprint, ear shape), then there is a need to protect
them with secure messaging (see Figure B.4).
© ISO/IEC 2004 – All rights reserved 15

CoCommmmanand/d/ResRespponsonsee Meanin Meaningg
SELECSELECTT SeleSelectiction oon off the the app appli-li-
cacationtion w wiith th AAppplipliccatationion
OKOK
IdeIdenntietierr (AID) (AID)
GEGETT D DAATTAA >  RetrieRetrievvaall o off t thhee
BiomBiometrietricc IInnfformormaatiotionn
Bio. InfBio. Infoormrmatiation on TemTempplatelate
TTeemmpplalate (BITte (BIT). ).
MAMANNAAGGEE S SEE > SettiSetting tng the Che CRRTT D DSSTT
wwiith the th the ppublublic keic keyy ffoorr
OKOK
cecertifrtificicateate v veeririffiiccaatitionon
VERIFY CERTIFICVERIFY CERTIFICAATTEE VerifVerifiicacationtion o off t thhee
te> cecertifrtificicateate bel belongonginging
to tto the bhe biiomometricetric un unit it
OKOK
GGEET CHT CHAALLENGLLENGEE RReequesquestintingg a a chachall--
llengengee ttoo be u be usseded
RRaandondomm N Nuummberber
forfor se secucurree m meessssagiagingng
EEXXTTEERRNNAAL AL AUUTHENTHENTTIICCAATETE ExExteternalrnal auth authentienticcaattionion
> wwiith eth esstatabliblisshihing ong off
SMSM k keeyyss
autauthenthenticaicattionion rela related ted datadata
VERVERIFIFYY DDaata, Sta, SMM proprottecected>ted> SMSM p prrotecotected ted vveeririffiiccaa--
tiontion da data; resta; resppoonnsese ca cann
OKOK
alsalsoo b bee SMSM proteprotecctedted

Figure B.4 — Commands for verification with secure messaging (example)
NOTE Secure Messaging (SM) is outlined in ISO/IEC 7816-4.
In this example, the verification process starts with the retrieval of the Verification Requirement Information
Template (VIT) and the corresponding Biometric Information Template (BIT), which may be stored e.g. in the
FCI extension File (File ID is implicitly known).The VIT contains information, whether biometric and/or
password verification is available and enabled or disabled and which corresponding qualifiers of the reference
data (KeyRef) have to be used at the interface to the card. The BIT contains in this example (see Figure B.5)
information about the card specific algorithm reference (AlgID), the qualifier of the reference data (KeyRef)
and additional information like biometric type, format owner and format type.
T.T.BIT  BIT  L T.L T.AlAlggIIDD    LL . . T.T.RDRD    LL . . T.T.OIOID D   L L .  .  T.T.TATATT L  T.L  T.BTBT LL . . .
TaTagg o off OIOIDD BiBioommeettricric
AlAlggoorriitthhmm ReReffeerreennccee TaTagg o off TTaagg FuFurrtthheerr DDOOss::
BioBiommeettrriicc TTyyppee e. e.g.g.
datdataa ofof -- FForormmaatt ow ownenerr
refrefeererencence AllAllooccaattiioonn
InInffoorrmmaattioionn ffiingngerperprriinntt
quaqualliiffiieerr TaTagg AuAutthhoorritityy -- FFoorrmmaat tyt typpee
TeTempmpllaattee AlAllolocacatitioonn
TTeemmpplalatete  -- .
(‘7F(‘7F6060‘‘))
AuAuththoorriittyy
((‘‘A1A1‘)‘)
Figure B.5 — Example of a Biometric InformationTemplate (BIT)
16 © ISO/IEC 2004 – All rights reserved

If IFD and the presented card support the same mechanism and the user has presented the related biometric
features, the verification data have to be computed and delivered to the card by using the VERIFY command
which is preceeded by a MANAGE SECURITY ENVIRONMENT command to select the special verification
method (see Figure B.6).
CoCommmmand/and/ResRespone Mpone Meaneaniinng g
SELECTSELECT > SelSeleeccttioion on off the the
FCFCI eI exxttensensioion fn fiilele
OKOK
RetriRetrieeval oval off tthe Veri-he Veri-
REREAADD B BIINNAARYRY
ffiiccaatitionon R Requequireiremmeennt t
InformInformatiation Ton Teemmpplalate te
VITVIT | ||| BIT BIT
VITVIT a anndd
tthhe Be Biiometometrriic Ic Innffoorr--
mmaatiotionn TemTempplalate BITte BIT
MAMANANAGGEE S SEE DDOO A Allg. g. RReeffeerencrencee |||| wwiitthh U Ussagage Qe Quuaalliiffiieerr
DDOO Key Key RReeffeerencrence>e> UUQQ, A, Allgogorriiththmm R Reeffee--
rreencncee aandnd K Keey y
OKOK
RReeffeerencrencee
VERIFYVERIFY < VerificaVerificatiotionn DaData>ta>
OKOK
Figure B.6 — Commands for verification without secure messaging (example)
When a static biometric verification needs information from the card prior to verification, such information may
be present in the biometric information template.
B.4 Access to the BIT in case of off-card matching
The BIT possibly in combination with other data (e.g. driver license data) may be protected e.g. by a signature
of the issuing authority (for examples of protecting those data see Annex D). Therefore the BIT may be
retrieved by applying a simple READ BINARY command, see Figure B.7.
CoCommmmaand/nd/ResResppone Meaninone Meaningg
SELECTSELECT <> SeleSelectiction oon off the the
ffileile co containtaininningg th the e
OKOK
BiomBiometrietricc IInnfformormaatiotionn
TeTemmppllaattee
TThe he DDOO BI BITT m maayy
REREAADD BI BINNAARYRY
conconttaiain then the Sec Secuure re
MeMessssagagiinngg T Teemmpplalattee
BITBIT
e.g.e.g. ffoor gr guaranuaranteeteeiingng
the auththe authentienticciittyy ooff bibio-o-
mmeettrric refic refeererencence datdataa

Figure B.7 — Commands for retrieval of the BIT (example)
© ISO/IEC 2004 – All rights reserved 17

The access to the BIT may be restricted, i.e. prior to reading an authentication procedure has to be performed
as shown in Figure B.8.
CoCommmmaand/nd/ResResppone Meanone Meaniinng g
GGEET CHT CHAALLENGLLENGEE GeGettingtting a ra a randondomm
numnumberber
RRaandondomm n nuummbberer
AutheAuthennticticaatition oon off the the
EXT. AEXT. AUUTHENTICTHENTICAATE TE
entientittyy,, w whhicich hah has ths thee
ta>
accacceessss ri right ght to thto thee
BITBIT
OKOK
REREAADD BIN BINAARYRY
RReeadiading tng the BIThe BIT
BITBIT
Figure B.8 —
...