1、 INTERNATIONAL STANDARD ISO/IEC 24761:2009 TECHNICAL CORRIGENDUM 1 Published 2013-03-01 INTERNATIONAL ORGANIZATION FOR STANDARDIZATION ORGANISATION INTERNATIONALE DE NORMALISATION INTERNATIONAL ELECTROTECHNICAL COMMISSION COMMISSION LECTROTECHNIQUE INTERNATIONALEInformation technology Security techn
2、iques Authentication context for biometrics TECHNICAL CORRIGENDUM 1 Technologies de linformation Techniques de scurit Contexte dauthentification biomtrique RECTIFICATIF TECHNIQUE 1 Technical Corrigendum 1 to ISO/IEC 24761:2009 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information tech
3、nology, Subcommittee SC 27, IT Security techniques. Page 1, Clause 2 Add the following at the end: RFC 5911, New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME, June 2010 Page 11, Clause 6 Replace the definition of EncapsulatedContentInfoACBio with: EncapsulatedContentInfoACBio := S
4、EQUENCE eContentType CONTENT-TYPE. the first field of fixed value of id-contnetBPUReport and the second of type ContentBPUReport, which is a data of parameterized SIGNEDDATA with encapsulated content of type BPUReportContentInformation, which consists of two components, bpuFunctionReport and bpuSecu
5、rityReport. The signature shall be generated using the private key of the product vendor of the BPU. NOTE The functions of and data flow in a BPU in enrolment may be different from those in biometric verification. In such a case, two BPUReports may be prepared, one for enrolment, another for biometr
6、ic verification. Otherwise one BPUReport may be prepared for both enrolment and biometric verification. The latter case is noted in 7.2.1. In ASN.1 notation, BPUReport is described as follows: Page 18, 7.2.1 Replace the definitions of BPUFunctionReport, BPUSubprocessInformationList, and BPUIOStaticI
7、nformationList respectively with: BPUFunctionReport := SEQUENCE bpuSubprocessInformationList BPUSubprocessInformationList, bpuInputStaticInformationList BPUIOStaticInformationList OPTIONAL, bpuOutputStaticInformationList BPUIOStaticInformationList BPUSubprocessInformationList := SEQUENCE SIZE(1MAX)
8、OF BPUSubprocessInformation BPUIOStaticInformationList := SEQUENCE SIZE(1MAX) OF BPUIOStaticInformation Page 18, 7.2.1 Replace the last paragraph with: bpuInputStaticInformationList is a list of elements of type BPUIOStaticInformation as many as the number of the input data to the BPU. bpuOutputStat
9、icInformationList is a list of elements of type BPUIOStaticInformation as many as the number of the output data from the BPU. The type BPUIOStaticInformation is defined in 7.2.1.2. In enrolment, storage subprocess shall output the hash value of the input of biometric sample which is to be stored as
10、the biometric reference template, and the hash value is to be set in the BRT certificate. Therefore bpuOutputStaticInformationList shall have such a member if it is an expression for a BPU with storage subprocess in enrolment. NOTE When the function of and data flow in a BPU in enrolment are differe
11、nt from those in biometric verification, the number of the elements in bpuSubprocessInformationList may not be equal to the number of the subprocesses in the BPU. It may be the sum of the number of the subprocesses in enrolment and that in biometric verification. In this case, bpuSubprocessInformati
12、onList is divided into two groups, one for enrolment and another for biometric verification. subprocessName of functionDefinition in a member of a group of bpuSubprocessInformationList may have the same value as the value of subprocessName of functionDefinition in a member in the other group but the
13、 value of the field subprocessIndex shall be different from that of the corresponding member of the list. If the bpuSubprocessInformaitonList is expressed as above, so are bpuInputStaticInformationList and bpuOutputStaticInformationList expressed in a similar way: there may be two members in the lis
14、t where the value of subprocessIOIndex of one member is different from that of the other while the values of dataType are the same. Page 19, 7.2.1.1.1 Replace the definition of FunctionDefinition with: FunctionDefinition := SEQUENCE ISO/IEC 24761:2009/Cor.1:2013(E) 4 ISO/IEC 2013 All rights reserved
15、subprocessName SubprocessName, subprocessIndex SubprocessIndex, biometricType BiometricType OPTIONAL, biometricSubtype BiometricSubtype OPTIONAL, inputIndex1 IOIndex OPTIONAL, inputIndex2 IOIndex OPTIONAL, outputIndex IOIndex, functionDescription OCTET STRING (SIZE(1MAX) OPTIONAL Page 19, 7.2.1.1.1
16、Add the following description after the third paragraph: A pair of components biometricType and biometricSubtype indicates the modality of biometric data processed in the subprocess. The types BiometricType and BiometricSubType are defined in ISO/IEC 19785-3. biometricType is mandatory if subprocess
17、Name does not take the value comparison or decision. Page 20, 7.2.1.2 Replace the first paragraph, definition of BPUIOStaticInformation, and second paragraph with: BPUIOStaticInformation is a data type which gives information about input/output to/from the BPU, and consists of two components; dataTy
18、pe and subprocessIOIndex. BPUIOStaticInformation := SEQUENCE dataType DataType, subprocessIOIndex IOIndex Page 20, 7.2.1.2 Replace the fourth paragraph with: There shall be the component purpose if the first component processedLevel takes the value from raw-data to processed-data. There shall not be
19、 the component purpose if the processedLevel takes the value comparison-score, comparison-decision, or hashed-data. Page 20, 7.2.1.2 Replace the definition of ProcessedLevel with: ProcessedLevel := ENUMERATED raw-data(1), intermediate-data(2), processed-data(3), comparison-score(4), comparison-resul
20、t(5), hashed-data(6), . ISO/IEC 24761:2009/Cor.1:2013(E) ISO/IEC 2013 All rights reserved 5Page 21, Clause 8 Replace the text with: BRT certificate is a certificate to the biometric reference template issued by a certain BRT certification organization. It contains information about the biometric ref
21、erence template stored in the BPU, such as the issuer and validity period, etc. Type BRTCertificate is defined similarly to BPUReport. A BRT certificate consists of two fields; the first field of fixed value of id-contentBRTCertificate and the second of type ContentBRTCertificate, which is a data of
22、 parameterized SIGNEDDATA with encapsulated content of type BRTCContentInformation. The signature shall be generated using the private key of the BRT certification organization. In ASN.1 notation, BRTCertificate is described as follows: BRTCertificate := SEQUENCE contentType CONTENT-TYPE. ACBioInsta
23、nce := SEQUENCE contentType CONTENT-TYPE.&id(ContentTypeACBio), content 0 EXPLICIT CONTENT-TYPE.&Type (ContentTypeACBiocontentType) ContentTypeACBio CONTENT-TYPE := signedDataACBio | authenticatedDataACBio SignedDataACBio := SIGNEDDATA EncapsulatedContentInfoACBio AuthenticatedDataACBio := AUTHENTIC
24、ATEDDATA EncapsulatedContentInfoACBio EncapsulatedContentInfoACBio := SEQUENCE eContentType CONTENT-TYPE.&id(ContentTypeACBioContentInfo), eContent 0 EXPLICIT OCTET STRING ( CONTAINING CONTENT-TYPE.&Type (ContentTypeACBioContentInfoeContentType) ContentTypeACBioContentInfo CONTENT-TYPE := acbioContentInformation ACBioContentInformation := SEQUENCE version Version DEFAULT v1, bpuInformation BPUInformation, controlValue OCTET STRING (SIZE(16), biometricProcess BiometricProcess, brtCertificateInformation BRTCertificateInformation OPTIONAL Version := INTEGER v1(1) ( v1, . )
