HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (12 Jan 2025)

GB/T 38671-2020 PDF English


Search result: GB/T 38671-2020_English: PDF (GB/T38671-2020)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 38671-2020English395 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Technical requirements for remote face recognition system Valid
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 38671-2020     Related standards: GB/T 38671-2020

PDF Preview: GB/T 38671-2020


GB/T 38671-2020: PDF in English (GBT 38671-2020)

GB/T 38671-2020 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information Security Technology - Technical Requirements for Remote Face Recognition System ISSUED ON: APRIL 28, 2020 IMPLEMENTED ON: NOVEMBER 1, 2020 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3  1 Scope ... 4  2 Normative References ... 4  3 Terms, Definitions and Abbreviations ... 4  4 Overview ... 7  5 Security Classification ... 10  6 Functional Requirements ... 10  7 Performance Requirements ... 22  8 Security Function Requirements ... 23  9 Security Assurance Requirements ... 33  Appendix A (informative) Correspondence between Basic Level and Enhanced Level of Remote Face Recognition System ... 34  Appendix B (informative) Security Description of Remote Face Recognition System ... 36  Bibliography ... 43  Information Security Technology - Technical Requirements for Remote Face Recognition System 1 Scope This Standard stipulates the functions, performance, security requirements and security assurance requirements of information system that adopts face recognition technology for remote identity authentication on the server side. This Standard is applicable to the research, development and testing of information system that adopts face recognition technology for remote identity authentication on the server side. The management of the system may take this as a reference. 2 Normative References The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 3: Security Assurance Components GB/T 20271-2006 Information Security Technology - Common Security Techniques Requirement for Information System GB/T 26238-2010 Information Technology - Terminology for Biometrics GB/T 29268.1-2012 Information Technology - Biometric Performance Testing and Reporting - Part 1: Principles and Framework GB/T 36651-2018 Information Security Techniques - Biometric Authentication Protocol Framework Based on Trusted Environment 3 Terms, Definitions and Abbreviations 3.1 Terms and Definitions What is defined in GB/T 20271-2006, GB/T 26238-2010, GB/T 29268.1-2012 and GB/T 36651-2018, and the following terms and definitions are applicable to this document. 3.1.1 Biometrics; biometric recognition Figure 1 -- System Reference Model 4.2 Description of Client Side 4.2.1 Environment detection Detect the environmental conditions of face collection; determine whether the environment, in which, the face characteristics are collected, satisfies the collection requirements. Thus, determine whether face collection shall be initiated. 4.2.2 Face image collection Analyze and process sample data, for example, the input pictures or videos. Extract face images that satisfy the quality conditions for face characteristic extraction and comparison. 4.2.3 Living body detection Detect and judge whether the collected subject is a live face and whether it is attack by a prosthetic face. When conditions allow, determine whether the face comparison object is a real and valid human face on the client side. If the living body detection fails, then, no further processing shall be performed. 4.2.4 Quality detection Judge the quality of face images. This module is often combined with the face detection and collection module to output face images of the best quality, for the subsequent characteristic-based modeling and comparison. If the face quality detection fails, then, no further processing shall be performed. 4.2.5 Security management Conduct security management of sensitive data, such as: client-side passwords, configuration parameters and user data, etc. 4.3 Description of Server Side 4.3.1 Living body judgment Conduct secondary judgment of information collected during the live face detection process on the client side. Combine the detection results of the client side to complete the final living body judgment. 4.3.2 Quality judgment Judge the quality of biometric information uploaded to the server side. 4.3.3 Face database 5 Security Classification The functions, performance and security requirements of the remote face recognition system are divided into basic level and enhanced level. The boldfaces are the newly added requirements of the enhanced level in comparison with the basic level. The brief correspondence between the basic level and the enhanced level is shown in Appendix A; the system security description is shown in Appendix B. Relevant content of this Standard that involves cryptographic algorithm shall be implemented in accordance with the relevant national laws and regulations. Those involving the application of cryptographic technology to solve the requirements of confidentiality, integrity, authenticity and non-repudiation must comply with the national standards and industry standards related to cryptography. 6 Functional Requirements 6.1 Basic-level Requirements 6.1.1 User identification The function of user identification shall be designed and implemented through the following aspects: a) All users shall carry out user identification during the registration; b) It shall have uniqueness; c) User identification information shall be managed and maintained, so as to ensure that it is not unauthorizedly accessed, modified or deleted. 6.1.2 Face image collection and processing The face image collection and processing shall be equipped with the following functions: a) During the face data collection process, data, for example, personal information shall be prevented from being leaked; b) The integrity and consistency of the collected data should be verified; c) The data collection process should be tracked and recorded; the traceability of face collection data should be supported; d) The authenticity of the collected data should be ensured; e) After collection, residual information shall be eliminated. 6.1.5.1 Face data registration The modes of registration include on-site registration and remote registration. If the user uses the client-side device for registration, the registration process shall be performed in a trusted environment. 6.1.5.2 Face data deregistration Face data deregistration shall satisfy the following requirements: a) The deregistration participant is the user who wishes to deregister. b) Before the deregistration, verify the identity of the authorized de-registrant. c) After the deregistration, the face data in the memory must be destroyed and cannot be repeatedly used. It needs to be collected again for the next use. 6.1.5.3 Face data registration and loading When loading face data in bulk during the face data registration process, this function shall: a) Establish security strategies, modes and access control mechanisms for the loading of collected data among different data sources and different security domains; b) Ensure the correctness and consistency of data during the loading of face data; c) Ensure the security protection of data during the loading of face data; d) Record and store the processing of personal information data, for example, human face, during the loading of face data. 6.1.6 User authentication 6.1.6.1 Authentication timing Before the actions required by the security function of the face recognition system are executed, firstly, the user who is required to execute the actions shall be authenticated. Those who fail the authentication will not execute the actions. 6.1.6.2 Face verification If the function of face verification is provided, then, the following functions shall be possessed: a) During face verification, UID shall be provided; d) When the above attacks or unauthorized operation events occur, the service shall be cancelled, and an alarm shall be triggered. 6.1.6.6 Decision-making feedback protection The face recognition decision-making feedback protection shall satisfy the following requirements: a) In accordance with the face recognition decision-making strategy, return the face recognition comparison results; protect the integrity of the feedback results; b) During the recognition process, the feedback information provided to the user shall be prevented from disclosing the user’s face characteristic information data; c) It shall only return whether or not it passes, and cannot feedback the recognition score, so as to prevent mountain-climbing attack. 6.1.6.7 Specification of secrets A mechanism shall be provided to verify whether the extracted face characteristic template satisfies the corresponding quality measurement. When secret information, for example, face characteristic template used for identity authentication is generated by the face recognition system, the system shall be able to generate secret information that meets the quality requirements for secret information. The quality of secret information includes the template size. The requirements for the quality measurement of the secret information shall be formulated by the security administrator. 6.1.6.8 Authentication failure 6.1.6.8.1 Basic requirements By pre-defining the value of unsuccessful authentication attempts (including the threshold of the number and the time of attempts), and explicitly specifying the measures that shall be taken when this value is reached, the processing of authentication failure is implemented. 6.1.6.8.2 Failure determination During the recognition process, when the following situations occur, the system determines that the recognition fails: a) Device failure: the face collector is malfunctioning and cannot successfully capture images; c) After the deregistration, the face data in the memory must be destroyed and cannot be repeatedly used. It needs to be collected again for the next use. 6.2.5.3 Face data registration and loading When loading face data during the face data registration process, this function shall: a) Establish security strategies, modes and access control mechanisms for the loading of collected data among different data sources and different security domains; b) Ensure the correctness and consistency of data during the loading of face data; c) Ensure the security protection of data during the loading of face data; d) Record and store the processing of personal information data, for example, human face, during the loading of face data; e) The failure recovery method and mechanism for data loading shall be established; it shall be equipped with the capability of handling loading data consistency detection and problem control shall be equipped. 6.2.6 User authentication 6.2.6.1 Authentication timing Before the actions required by the security function of the face recognition system are executed, firstly, the user who is required to execute the actions shall be successfully authenticated. 6.2.6.2 Face verification If the function of face verification is provided, then, the following functions shall be possessed: a) During face verification, UID shall be provided; b) In accordance with the user’s identity information, retrieve the user’s face template; c) Execute the data packet verification function to check the integrity of the user’s face template; d) Execute the data packet verification function to check the integrity of the user’s collection sample; e) Compare the face sample characteristics collected and generated in real time c) Forgery of paper masks: it shall be able to detect or prevent the counterfeiting of using most paper masks on human faces; d) Anti-video forgery: it shall be able to detect or prevent the use of splicing, replacement and video remaking for forgery; e) Anti-face CG synthesis forgery: it shall be able to detect or prevent the use of CG technology to synthesize single or multiple face images into face videos or 3D face models for forgery; f) Anti-prosthetic mask forgery: it shall be able to detect or prevent counterfeiting of using most human face 3D prosthetic masks (resin masks and silicone masks); g) When the above attacks or unauthorized operation events occur, the service shall be cancelled, and an alarm shall be triggered. 6.2.6.7 Decision-making feedback protection The face recognition decision-making feedback protection shall satisfy the following requirements: a) In accordance with the face recognition decision-making strategy, return the face recognition comparison results; protect the integrity of the feedback results; b) During the recognition process, the feedback information provided to the user shall be prevented from disclosing the user’s face characteristic information data. 6.2.6.8 Specification of secrets A mechanism shall be provided to verify whether the extracted face characteristic template satisfies the corresponding quality measurement. When secret information, for example, face characteristic template used for identity authentication is generated by the face recognition system, the system shall be able to generate secret information that meets the quality requirements for secret information. The quality of secret information includes the template size. The requirements for the quality measurement of the secret information shall be formulated by the security administrator. 6.2.6.9 Authentication failure 6.2.6.9.1 Basic requirements By pre-defining the value of unsuccessful authentication attempts (including the or, there is no user candidate in the stored face template during face recognition, then, warning message shall be provided; b) When forged recognition images, recognition data, or, copied and unauthorized saving of images and data, or, non-live faces or unauthorized database operations are detected, alarm messages shall be provided. 7 Performance Requirements 7.1 Basic-level Requirements 7.1.1 Face registration The system’s face registration failure rate shall be not greater than 1%. 7.1.2 Face verification When the false accept rate is 0.1%, the false reject rate shall be not greater than 5%. 7.1.3 Capabilities of living body detection and prevention 7.1.3.1 Types of attack The system shall have defensive measures against the following types of attacks: ---Basic-level living body detection (static attack), which can prevent the following means of attack: printed ordinary face photo, high-definition face paper photo, face photo replayed on mobile terminal screen and paper mask. 7.1.3.2 Normal pass rate The normal pass rate of the system’s living body detection shall be not less than 95%. 7.1.3.3 Attack reject rate The attack reject rate of the system’s living body detection shall be not less than 99%. 7.2 Enhanced-level Requirements 7.2.1 Face registration The failure rate of the system’s face registration shall be not more than 0.1%. 7.2.2 Face verification When the false accept rate is 0.01%, the false reject rate shall be not more than 5%. 6) Counterfeit face masks; 7) Forged characteristic data or tampered identification result data, user attribute data and configuration management data; 8) Attempts to save face images; 9) Unauthorized storage of characteristic data; 10) Unauthorized database operations. b) Audit record shall at least include: the date and time of event, the user, the type of event, whether the event is successful, and other audit-related information. In the log records, there shall be no plain text of face characteristic templates, private keys, symmetric keys and other security-related parameters. The audit function component shall be able to associate auditable event with the identity of the user who initiated the event. c) For identity authentication events, audit record shall include the source of request (for example, device identifier). 8.1.1.2 Security audit review In accordance with different requirements for security audit, security audit review is divided into: a) The audit function component shall provide the administrator with the capability of reviewing all information in the log. b) The audit function component shall provide the reader with log information in a mode suitable for reading and interpretation. 8.1.1.3 Security audit event selection The audit function component shall be able to select or exclude auditable events in the audit event set based on the following attributes: User ID, type of event, subject ID, object ID, etc. 8.1.1.4 Security audit event storage In accordance with different requirements for security audit, security audit event storage is divided into: a) Storage of protected audit trails: the storage of audit trails is properly protected, faces; satisfy the requirements for data confidentiality protection; b) Utilize the storage access control module to implement the face data user identification and authentication strategy and data access control strategy; implement related security control measures; prevent unauthorized access to user face data. 8.1.2.3 Data transmission security Corresponding security control measures that satisfy the data transmission security strategy shall be adopted, for example, data encryption, so as to protect the transmission of face recognition data. 8.1.3 Personal information protection Citizens’ personal privacy information, for example, user face template, shall be protected, which includes, but is not limited to the following functions: a) No association protection: prevent the association with the stored face template data through the application or database; b) Confidentiality protection: prevent unauthorized users from accessing the face template data; c) Residual information protection: it is requested that the system’s security function shall be able to ensure that when allocating or recycling resources of a defined object within the scope of security control, the residual information is unavailable. 8.1.4 Timestamp The system’s security function shall be able to provide a reliable timestamp for its own application. 8.1.5 Backup and recovery The system shall have the function of backup and recovery. When there is a fault that causes information loss during the system operation, it shall perform information recovery. When there is a fault that causes system failure during the system operation, it shall perform system recovery. 8.1.6 Security management The system shall provide role definitions of system administrator, security administrator and audit administrator. System administrator: install, configurate and maintain the system; establish and manage user accounts; execute system backup and recovery. There are two types of subjects in the system: one is privileged users, including system administrators, system security officers and system auditors; the other is system processes that handle specialized transactions. The object in the system refers to the object that can be operated by the subject, including the object of image processing and data storage, and the process of user service. The former mainly includes: registered face templates, face collection samples and recognition results. The latter mainly includes: system administrator operation process, database operation process, security officer operation process and auditor operation process. 8.2.2.2 Data storage security This function shall: a) Have the capability of encrypted storage of personal information like human faces; satisfy the requirements for data confidentiality and integrity protection; b) Utilize the storage access control module to implement the face data user identification and authentication strategy and data access control strategy; implement related security control measures; prevent unauthorized access to and tampering of user face data; c) Have the capability of face data backup and corresponding recovery control measures. 8.2.2.3 Data transmission security This function shall: a) Adopt corresponding security control measures that satisfy data transmission security strategies, such as: secure channel, trusted channel and data encryption, etc.; b) Have the capability of identity authentication of the main body at both ends before constructing the transmission channel; c) Have the capability of detecting the integrity of transmission data and corresponding recovery control measures; d) Support data authenticity detection; the signature cryptographic algorithm and combination algorithm specified by the state shall be adopted to authenticate the source of data. 8.2.3 Personal information protection Citizens’ personal privacy information, for example, user face template, shall be Appendix B (informative) Security Description of Remote Face Recognition System B.1 Protected Assets B.1.1 Purpose of description The security issue descriptions, security objectives and security demands described in this Appendix are all for the protection of the protected assets described in this Standard. B.1.2 Type of user data B.1.2.1 Overview User data refers to data generated by or for users. The data does not affect the operation of the system’s security functions. B.1.2.2 System configuration data System configuration data of face collection module, face recognition module and face comparison strategy module. B.1.2.3 Face image data Face image data is collected by the system. B.1.2.4 Face processing data Face feature item data, face template data and face matching result data generated by the system for the output of face recognition results. B.1.2.5 Output data During the recognition process, manually output data, for example, identity information input by the user during the registration. B.1.2.6 Transmission data Transmission data includes: a) Data transmitted between the collection module and the processing module; b) Data transmitted between the face database and the comparison module; various security threats usually encountered by information systems. B.2.2 Security threat analysis of face recognition system The main security risks of the face recognition system in living body detection, face quality detection, face template registration and face comparison process are: user counterfeiting, counterfeiting, server counterfeiting, and information leakage of face data and face template (characteristic), vulnerability of identity authentication protocol (such as: man-in-the-middle, replay attack, etc.). See the details below: a) Living body detection The function of living body detection generally runs on the user terminal. There are risks, such as: the vulnerability of the detection algorithm and the security vulnerability of the software itself. Generally speaking, the person in front of the camera is verified to be a real person, instead of forged photos or videos, through detection or challenge. If the detection algorithm is relatively vulnerable, it is highly possible that it will be deceived by the attacker. In addition, living body detection software runs on the user terminal, for example, mobile phones. If the software itself is not properly protected, it can be easily analyzed, cracked and tampered by an attacker, who can bypass the living body detection. Some living body detection software need to consume excessive resources. Due to the influence of the performance of the user terminal, the detection performance may decline. b) Face quality detection Face quality detection is a function of auxiliary recognition that runs on the user terminal, and its purpose is to obtain ideal face images. There are risks, such as: vulnerability of detection algorithm and security vulnerability of the software itself. c) Template registration Face template registration includes face image transmission, face biometrics extraction and face biometrics storage process. It is an important process of face recognition and authentication. There are risks, such as: sniffing during the transmission process, information leakage of the biometric database and counterfeiting on the server side. Meanwhile, there are also risks of the vulnerability of face biometrics-based identity authentication protocol (such as: man-in-the-middle, replay attack, etc.). d) Face comparison ---It is assumed that he identity of registered users can be verified through the correct process. ---The administrator is trustable; has been formally trained; follows the administrator’s guide. ---The system shall satisfy the environmental conditions of operation, including the detection of face recognition environment (light, position, angle, distance and occlusion, etc.), and the environment detection of face auxiliary factors (voiceprint and voice, etc.). ---The system shall satisfy the hardware conditions of operation. B.4 Security Objective B.4.1 Overview The face recognition system provides an identity authentication mechanism, in which, the human user subject is a visitor. Its security purpose is to provide a solution to defend against system security threats. B.4.2 Security objective for evaluation object B.4.2.1 Prevent unauthorized disclosure and modification of system configuration data and face processing data The various modules of the system shall protect the system configuration data and face processing data, so as to prevent unauthorized disclosure and modification. Example 1: identification and authentication of the operating user. Example 2: division of different permissions for different operations. B.4.2.2 Prevent forgery, repudiation and unauthorized changes of input data and transmission data The various modules of the system shall protect the input data and transmission data, so as to prevent forgery, repudiation and unauthorized changes. Example 1: information transmission shall identify and authenticate the communication party, and the identification shall be compared with the previous settings. Example 2: information transmission shall correctly identify the transmission data. However, when different components are physically deployed in the same environment, the identification and authentication of the communication party may adopt a mode different from the identification and authentication during network transmission, or, the transmission data may no longer be authenticated. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.