GB/T 37036.3-2019 PDF in English
GB/T 37036.3-2019 (GB/T37036.3-2019, GBT 37036.3-2019, GBT37036.3-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 37036.3-2019 | English | 210 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information technology -- Biometrics used with mobile devices -- Part 3: Face
| Valid |
Standards related to (historical): GB/T 37036.3-2019
PDF Preview
GB/T 37036.3-2019: PDF in English (GBT 37036.3-2019) GB/T 37036.3-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.240.15
L 71
Information Technology - Biometrics Used with Mobile
Devices - Part 3: Face
ISSUED ON: OCTOBER 18, 2019
IMPLEMENTED ON: MAY 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Abbreviations ... 7
5 Technology Architecture ... 7
6 Operational Process ... 9
7 Functional Requirements ... 11
8 Performance Requirements ... 16
9 Security Requirements ... 16
Appendix A (informative) Typical Application Architectures of Face Recognition
Used with Mobile Devices ... 20
Appendix B (informative) Mobile Device Face Recognition Presentation Attack
Detection Methods ... 26
Information Technology - Biometrics Used with Mobile
Devices - Part 3: Face
1 Scope
This Part of GB/T 37036 provides the technology architecture of the face recognition
system used with mobile devices, and specifies the operational process, functional
requirements, performance requirements and security requirements of face
recognition used with mobile devices.
This Part is applicable to the design, production, integration and application of the face
recognition system used with mobile devices.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 26238-2010 Information Technology - Terminology for Biometrics
GB/T 37036.1-2018 Information Technology - Biometrics Used with Mobile Devices -
Part 1: General Requirement
3 Terms and Definitions
What is defined in GB/T 26238-2010, and the following terms and definitions are
applicable to this document.
3.1 Face Recognition
Face recognition refers to the process of individual recognition based on individual’s
face characteristic.
3.2 Face Characteristic
Face characteristic refers to distinguishable and repeatable characteristic information
that can be extracted from individual’s face information, so as to achieve the purpose
of automatic individual recognition.
NOTE: face characteristics may include: anatomical characteristics of face, facial
characteristics, special marking characteristics and other characteristics of human
Attack presentation false acceptance rate refers to the proportion that attacks
presented by means of attack presentation are mistakenly accepted as the actual face
presentation in specific scenarios.
3.12 Bona Fide Presentation False Rejection Rate
Bona fide presentation false rejection rate refers to the proportion that actual face
presentation is mistakenly determined as attack presentation and rejected in specific
scenarios.
3.13 Attack Presentation Non-response Rate
Attack presentation non-response rate refers to the proportion of non-responses in the
face recognition system during the process of presenting attacks through the mode of
attack presentation.
3.14 Bona Fide Presentation Non-response Rate
Bona fide presentation non-response rate refers to the proportion of non-responses in
the face recognition system during the presentation of actual face.
4 Abbreviations
The following abbreviations are applicable to this document.
APFAR: Attack Presentation False Acceptance Rate
APNRR: Attack Presentation Non-response Rate
BPFRR: Bona Fide Presentation False Rejection Rate
BPNRR: Bona Fide Presentation Non-response Rate
FAR: False Acceptance Rate
FRR: False Rejection Rate
5 Technology Architecture
The face recognition system used with mobile devices is mainly constituted of several
functional modules on the mobile device side and the remote server. It mainly includes
face characteristic capture module, face characteristic storage module and face
characteristic comparison module, etc. Specifically speaking, the face characteristic
capture module includes sub-functional modules, such as: face sample capture, quality
judgment, presentation attack detection and face feature extraction, etc. The face
recognition system captures user’s face samples by accessing the face capture device
devices includes: enrollment process, recognition process and log-out process. See
the requirements below:
a) The enrollment process shall include, but is not limited to the following steps:
1) The mobile application initiates the enrollment process in a mobile device;
2) The face capture device in the mobile device captures the user’s face
samples;
3) Conduct quality judgment, presentation attack detection and user’s face
feature extraction;
4) Store the user’s face feature in the face characteristic storage module as
the user’s face template; associate it with the user’s identity;
5) After completing it, end the enrollment process.
b) The recognition process shall include, but is not limited to the following steps:
1) The mobile application initiates the recognition process in the mobile
device;
2) The face capture device in the mobile device captures the user’s face
samples;
3) Conduct quality judgment, presentation attack detection and user’s face
feature extraction;
4) Regard the extracted user’s face feature as the face probe; compare it
with one or more user’s face templates stored in the face characteristic
storage module;
5) In accordance with the comparison result, make recognition decisions
and output the recognition result; end the recognition process.
NOTE: the face recognition system used with mobile devices may use face probe,
which passes the recognition, to update the user’s face template stored
in the face characteristic storage module.
c) The log-out process shall include, but is not limited to the following steps:
1) The mobile application initiates the log-out process in the mobile device;
2) Delate all face references associated with the user to be logged out in the
face characteristic storage module; delete the identity of the user to be
logged out in face recognition;
Face recognition used with mobile devices shall have the function of log management,
which includes, but is not limited to:
a) Events that generate log records, which include, but are not limited to:
1) Success or failure event during the enrollment process;
2) Success or failure event during the recognition process;
3) Success or failure event during the log-out process;
4) Face template update, etc.
b) For each event, log records include the event occurrence time, the type of
event, the user, the event execution result or cause of failure, and the validity
time, etc.
7.2 Face Characteristic Capture Module
7.2.1 Basic functions
The face characteristic capture module provides the function of face characteristic data
capture and transmission, which includes, but is not limited to:
a) It shall comply with the requirements of 6.2.1 in GB/T 37036.1-2018;
b) Technical means should be adopted to determine the environmental lighting
conditions where the user is located during the capture process. When the
environmental lighting conditions are inappropriate (for example, ambient light
is too bright or too dark), the user should be reminded to cooperate with the
improvement;
c) Technical means should be adopted to determine blockage and posture of the
face area in the face capture zone during the capture process. When the face
area is incomplete (for example, when there is blockage by ornament, or,
when only part of the face is in the video capture area) or the posture is
inappropriate (face rotation, pitching or excessive inclination angle), the user
should be reminded to cooperate with the improvement;
d) During the capture process, if there are multiple faces, or no face in the video
area, it should be properly handled in accordance with the current business
scenario, for example, remind the user to cooperate with the improvement, or,
set rules to select the main face area for processing.
7.2.2 Quality judgment
The face characteristic capture module in the mobile device shall have the function of
quality judgment; comply with the requirements of 6.2.2 in GB/T 37036.1-2018.
The quality judgment function of face samples:
a) Shall include, but is not limited to:
1) Evaluation of area size: determine whether the size of the face area
detected in the sample meets the requirements of the face recognition
algorithm;
2) Evaluation of clarity: determine whether the clarity of the face area
detected in the sample meets the requirements of the face recognition
algorithm;
3) Evaluation of integrity: determine whether the integrity of the face area
detected in the sample meets the requirements of the face recognition
algorithm;
4) Evaluation of gesture angle: determine whether the rotation angle,
pitching angle and inclination angle of the face gesture detected in the
sample are within a reasonable range.
b) Should include, but is not limited to:
1) Evaluation of eye closure: quantify and evaluate the eye closure;
determine whether it meets the requirements of the face recognition
algorithm;
2) Evaluation of mouth closure: quantify and evaluate the mouth closure;
determine whether it meets the requirements of the face recognition
algorithm;
3) Evaluation of illumination: determine whether the illumination of the face
area detected in the sample meets the requirements of the face
recognition algorithm;
4) Evaluation of user subjective cooperation level: determine whether the
user has subjective willingness to cooperate with face recognition.
7.2.3 Presentation attack detection
Face recognition used with mobile devices shall be equipped with the function of
presentation attack detection; comply with the requirements of 6.2.3 in GB/T 37036.1-
2018.
The presentation attack detection function of face recognition used with mobile devices
should be able to support the detection of the following types of presentation attack,
as it is shown in Table 1.
See Appendix B for some feasible presentation attack detection methods of face
capturing and using the face data for products or services provided, and
obtain the user’s authorized consent;
c) Before face recognition log-out is initiated, the operator’s identity shall be
authenticated, and the authority shall be confirmed. After the face recognition
log-out is completed, ensure that all the associated face data is deleted and
cannot be recovered;
d) During its operation, the functional module located in the mobile device should
have the capability of inspecting the operating environment. The scope of the
inspection may include whether the mobile device system has been
authorized by an illegal user to obtain administrator rights, and whether the
program operating environment is trusted. When it is found that the operating
environment is abnormal, there shall be corresponding treatment measures,
such as: prompting the user for security risks and closing the application, etc.;
e) The functional module in the mobile device shall adopt security measures to
ensure that only the caller with the calling authority can call the module;
f) The functional module in the mobile device shall adopt security reinforcement
measures, such as: de-compilation and integrity check, to improve its own
security protection level.
9.2 Security of Face Characteristic Capture Module
The security requirements for the face characteristic capture module include, but are
not limited to:
a) It shall comply with the requirements of 7.2 in GB/T 37036.1-2018;
b) A face characteristic capture timeout processing mechanism shall be set. In
other words, within the set effective time, if face samples that meet the quality
requirements and pass the presentation attack detection cannot be captured,
then, the module shall automatically withdraw from the operation;
c) Effective security measures shall be adopted to protect the sensitive data
input by the user, or the captured user’s face data, so as to ensure its
confidentiality and integrity, and ensure that it is not illegally stolen or
tampered with, for example, the implementation through the trusted
environment in the mobile device;
d) After face feature extraction is completed, the user’s face samples shall be
timely removed from the mobile device; ensure that the face samples cannot
be recovered.
9.3 Security of Face Characteristic Storage Module
When face data is transmitted among different modules of face recognition:
a) During the transmission process, the true identity of the other side of
communication shall be authenticated. After the authentication is passed, a
secure channel shall be established to protect the confidentiality and integrity
of face data during the transmission process;
b) Effective measures shall be adopted to prevent replay attacks, for example,
unpredictable random numbers, time stamps or challenges / responses;
c) In the mode of remote recognition, when transmitting face data from the
mobile device to a remote server for comparison, and returning the
recognition decision-making result, an effective and safe mode shall be
adopted to perform security protection of the transmitted face data and
recognition decision-making result, so as to ensure its confidentiality and
integrity; ensure that it is not stolen or tampered with;
d) Effective security measures shall be adopted to perform security protection of
keys used during the transmission process, for example, the implementation
through the trusted environment in the mobile device.
9.6 Security of Logs
The security requirements for logs include, but are not limited to:
a) There shall be no clear-text face data, key information or other security-
related parameters in the log records;
b) Security measures shall be adopted to protect the integrity of log information,
for example, digital signature;
c) It shall be equipped with an authorization management mechanism to
manage the operating authorization of adding, deleting and modifying log
records.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|