Is It the Standard for All Future Ids?

Summer 2011

Regarding ID Magazine – a survey of identification technology • SecureIDNews • ContactlessNews • CR80News • RFIDNews

PIV-IIs it the standard for all future IDs?

Private sector use of the FIPS 201 standard could dwarf government use Web services look to revolutionize biometrics New protocols could cut cord to biometric readers, end need for software drivers

Jill Jaracz Contributing Editor, AVISIAN Publications

The National Institute of Standards of Tech- ket, the devices may not necessarily be able About five years ago, NIST decided to cre- nology (NIST) is working to establish proto- to interact with a user’s current system. In a ate specifications to determine if biometric cols to ease implementation and increase nutshell, Biometric Web Services is aiming to devices were viable over Web protocols. The interoperability for biometric devices. A team make it easier to bring biometric capabilities Biometric Web Services project was formed. within NIST sees Web services as the key to to more devices than ever before – devices extending biometrics across platforms, solu- that would otherwise require an investment The group is focused on the creation of two tions and devices. in a specific combination of hardware and basic protocols that would eliminate the software. need for biometric devices to have dedicated The Biometric Web Services (BWS) project, a connections and dedicated device drivers, five-person team within NIST’s Information Currently biometric devices require dedicat- says Micheals. If successful, users would be Technology Laboratory Image Group, is cre- ed software to interact with other electronic able to control any device from anywhere. ating specifications for biometric devices to devices (e.g. computers, handhelds, mobiles). use Web services for interoperability. When either device changes, the wheel must In terms of physical connectivity, the use of essentially be recreated – or at least the soft- Web services will eliminate the need for a Ross J. Micheals, NIST’s supervisory com- ware that drives it. “If devices can understand USB or IEEE 1394 connection and device driv- puter scientist and leader of this project, ex- the Web inherently and the device changes,” ers. Instead, the connection can be made via plains that in the current climate, sensors and explains Micheals, “you don’t have to rely on Ethernet or Wi-Fi. Additionally, a system won’t matchers need to be built from the ground the software that hinders interoperability.” need to rely on device-specific, software- up. As new technology comes on the mar- based drivers.

40 Summer 2011 | www.regardingid.com Web services also change logical connectiv- Web site,” Micheals says. “How you secure, Web services defined ity in that devices could be shared from an encrypt data, and how it travels through the Internet-enabled device, such as a tablet or system are important questions you have to Web Services: The Internet standards body handset, and it won’t matter whether or not think about when designing solutions.” W3C defines Web services as “a software the device operates on the same platform. system designed to support interoperable One of the project’s sponsors is the Depart- machine-to-machine interaction over a “There is no reason why devices shouldn’t in- ment of Homeland Security, who can use Bio- network.” It uses a machine-processable herently understand Web protocols. It’s very metric Web Services with its systems, particu- format such as WSDL and standardized tractable to have this technology in a small larly as these systems and components age. SOAP message formats, HTTP and XML. Web handheld form,” Micheals says. With the Bio- Operating within a closed system, Biometric services can implement a Service-oriented metric Web Services protocols, mobile de- Web Services can work with a mixture of new architecture (SOA), which is a flexible way to vices can be programmed to talk to the Web and old technology that still has the capabil- design an ecosystem of interoperable ser- and no longer need data storage capabilities. ity to interact because all the components are vices that work with multiple systems across “What we’re really trying to do is to describe designed with the same protocol. various domains. an outlet, cut the cord on the biometric sen- sor, and define a clear boundary between NIST hopes these standards will help drive WSDL: Web Services Description Language, components of the system.” technology and stimulate the market. “When an XML-based language used in combina- [devices] all talk the same language, markets tion with SOAP to enabled clients programs The team’s first major release was a working open up,” Micheals says. When the protocols to find and connect to Web services over the demonstration of the project, which it pre- are established, customers will be able to Internet. sented at the Biometric Consortium Confer- purchase products that work with any exist- ence in September 2010. ing Web protocol system, and developers will SOAP: The Simple Object Access Protocol be able to add their own value to the devices. was designed in 1998 a specific way to Since then, Biometric Web Services has “There’s a potential market for biometric exchange structured information used by worked with the OASIS standards body on access control devices that are more inter- Web Services. Messages are exchanged in an implementation of the OASIS Biometric changeable. Certainly as a consumer, that XML using application-layer protocols such Identity Assurance Services (BIAS) specifica- makes it more attractive,” Micheals says. as HTTP or RPC (Remote Procedure Call). tion. OASIS’ BIAS Integration Technical Com- mittee is determining a standard way to ac- Micheals says that NIST is reaching out to the HTTP: Hypertext Transfer Protocol, devel- cess remotely invoked biometric services via public for feedback and input. “Our mission is oped since 1991, is a networking program a services-oriented framework. to do the best thing technically, but we know for distributed information systems and a lot of excellent technology work is done in forms the basis for communicating over the This effort has resulted in the team’s January the private sector, so that’s where we’re trying Web. HTTP/1.1, defined in RFC 2616, defines 2011 release of a simple implementation of to get help,” Micheals says. nine verbs (methods) for manipulating the BIAS spec in which a client and server use remote resources. arbitrary binary data to show BIAS’ various The Biometric Web Services team is fostering functions. In February OASIS released a draft relations with experts in industry, academia XML: Extensible Markup Language, an of this specification and is accepting com- and government to get input on the pro- open standard for encoding documents in ments and suggestions from the public to aid tocols. It maintains a listserv for announce- machine-readable form, was published in in its revision. ments about projects and discussion from 1996 with the goals of simplicity and ease individuals. of use over the Internet. Since then, most Challenges to protocol creation modern APIs and file formats have been de- The team is being careful to create flexible veloped on top of XML-based formats, such In developing the protocols, the team has protocols that can be extended and won’t as RSS, Atom, SOAP, XHTML, and various run into some challenges. One hurdle has render future technology or modalities in- office document formats. been developing multi-user capabilities. Be- compatible. “We don’t know what might be cause biometric sensors are currently built as needed to add to the list later. [They should REST: Representational State Transfer, single-user devices, they will have to be built be] not so strict that you couldn’t extend introduced in 2000 is an “architectural with concurrent access capabilities in order them,” Micheals says. style”, simpler than SOAP, which defines the to incorporate the multiuser functionality of interactions between clients and servers Web services. Work on these two protocols will continue (requests and responses) and the data they through the majority of 2011. BWS intends exchange (resources and representations). The team is also trying to answer questions to have a final draft of the specifications writ- It typically a subset of the HTTP verbs (POST, around live previewing capabilities and mul- ten by the end of NIST’s fiscal year, which is GET, PUT, and DELETE) to implement create, tilayered security. “Local door access has dif- in October. read, update, and delete operations on ferent requirements versus logging onto a remotely accessible resources.