GB/T 38671-2020 PDF English
Search result: GB/T 38671-2020_English: PDF (GB/T38671-2020)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 38671-2020 | English | 395 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Technical requirements for remote face recognition system
| Valid |
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 38671-2020 Related standards: GB/T 38671-2020
PDF Preview: GB/T 38671-2020
GB/T 38671-2020: PDF in English (GBT 38671-2020) GB/T 38671-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology - Technical
Requirements for Remote Face Recognition System
ISSUED ON: APRIL 28, 2020
IMPLEMENTED ON: NOVEMBER 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms, Definitions and Abbreviations ... 4
4 Overview ... 7
5 Security Classification ... 10
6 Functional Requirements ... 10
7 Performance Requirements ... 22
8 Security Function Requirements ... 23
9 Security Assurance Requirements ... 33
Appendix A (informative) Correspondence between Basic Level and Enhanced
Level of Remote Face Recognition System ... 34
Appendix B (informative) Security Description of Remote Face Recognition
System ... 36
Bibliography ... 43
Information Security Technology - Technical
Requirements for Remote Face Recognition System
1 Scope
This Standard stipulates the functions, performance, security requirements and
security assurance requirements of information system that adopts face recognition
technology for remote identity authentication on the server side.
This Standard is applicable to the research, development and testing of information
system that adopts face recognition technology for remote identity authentication on
the server side. The management of the system may take this as a reference.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 3: Security Assurance Components
GB/T 20271-2006 Information Security Technology - Common Security Techniques
Requirement for Information System
GB/T 26238-2010 Information Technology - Terminology for Biometrics
GB/T 29268.1-2012 Information Technology - Biometric Performance Testing and
Reporting - Part 1: Principles and Framework
GB/T 36651-2018 Information Security Techniques - Biometric Authentication Protocol
Framework Based on Trusted Environment
3 Terms, Definitions and Abbreviations
3.1 Terms and Definitions
What is defined in GB/T 20271-2006, GB/T 26238-2010, GB/T 29268.1-2012 and GB/T
36651-2018, and the following terms and definitions are applicable to this document.
3.1.1 Biometrics; biometric recognition
Figure 1 -- System Reference Model
4.2 Description of Client Side
4.2.1 Environment detection
Detect the environmental conditions of face collection; determine whether the
environment, in which, the face characteristics are collected, satisfies the collection
requirements. Thus, determine whether face collection shall be initiated.
4.2.2 Face image collection
Analyze and process sample data, for example, the input pictures or videos. Extract
face images that satisfy the quality conditions for face characteristic extraction and
comparison.
4.2.3 Living body detection
Detect and judge whether the collected subject is a live face and whether it is attack
by a prosthetic face. When conditions allow, determine whether the face comparison
object is a real and valid human face on the client side. If the living body detection fails,
then, no further processing shall be performed.
4.2.4 Quality detection
Judge the quality of face images. This module is often combined with the face detection
and collection module to output face images of the best quality, for the subsequent
characteristic-based modeling and comparison. If the face quality detection fails, then,
no further processing shall be performed.
4.2.5 Security management
Conduct security management of sensitive data, such as: client-side passwords,
configuration parameters and user data, etc.
4.3 Description of Server Side
4.3.1 Living body judgment
Conduct secondary judgment of information collected during the live face detection
process on the client side. Combine the detection results of the client side to complete
the final living body judgment.
4.3.2 Quality judgment
Judge the quality of biometric information uploaded to the server side.
4.3.3 Face database
5 Security Classification
The functions, performance and security requirements of the remote face recognition
system are divided into basic level and enhanced level. The boldfaces are the newly
added requirements of the enhanced level in comparison with the basic level. The brief
correspondence between the basic level and the enhanced level is shown in Appendix
A; the system security description is shown in Appendix B. Relevant content of this
Standard that involves cryptographic algorithm shall be implemented in accordance
with the relevant national laws and regulations. Those involving the application of
cryptographic technology to solve the requirements of confidentiality, integrity,
authenticity and non-repudiation must comply with the national standards and industry
standards related to cryptography.
6 Functional Requirements
6.1 Basic-level Requirements
6.1.1 User identification
The function of user identification shall be designed and implemented through the
following aspects:
a) All users shall carry out user identification during the registration;
b) It shall have uniqueness;
c) User identification information shall be managed and maintained, so as to
ensure that it is not unauthorizedly accessed, modified or deleted.
6.1.2 Face image collection and processing
The face image collection and processing shall be equipped with the following
functions:
a) During the face data collection process, data, for example, personal
information shall be prevented from being leaked;
b) The integrity and consistency of the collected data should be verified;
c) The data collection process should be tracked and recorded; the traceability
of face collection data should be supported;
d) The authenticity of the collected data should be ensured;
e) After collection, residual information shall be eliminated.
6.1.5.1 Face data registration
The modes of registration include on-site registration and remote registration.
If the user uses the client-side device for registration, the registration process shall be
performed in a trusted environment.
6.1.5.2 Face data deregistration
Face data deregistration shall satisfy the following requirements:
a) The deregistration participant is the user who wishes to deregister.
b) Before the deregistration, verify the identity of the authorized de-registrant.
c) After the deregistration, the face data in the memory must be destroyed and
cannot be repeatedly used. It needs to be collected again for the next use.
6.1.5.3 Face data registration and loading
When loading face data in bulk during the face data registration process, this function
shall:
a) Establish security strategies, modes and access control mechanisms for the
loading of collected data among different data sources and different security
domains;
b) Ensure the correctness and consistency of data during the loading of face
data;
c) Ensure the security protection of data during the loading of face data;
d) Record and store the processing of personal information data, for example,
human face, during the loading of face data.
6.1.6 User authentication
6.1.6.1 Authentication timing
Before the actions required by the security function of the face recognition system are
executed, firstly, the user who is required to execute the actions shall be authenticated.
Those who fail the authentication will not execute the actions.
6.1.6.2 Face verification
If the function of face verification is provided, then, the following functions shall be
possessed:
a) During face verification, UID shall be provided;
d) When the above attacks or unauthorized operation events occur, the service
shall be cancelled, and an alarm shall be triggered.
6.1.6.6 Decision-making feedback protection
The face recognition decision-making feedback protection shall satisfy the following
requirements:
a) In accordance with the face recognition decision-making strategy, return the
face recognition comparison results; protect the integrity of the feedback
results;
b) During the recognition process, the feedback information provided to the user
shall be prevented from disclosing the user’s face characteristic information
data;
c) It shall only return whether or not it passes, and cannot feedback the
recognition score, so as to prevent mountain-climbing attack.
6.1.6.7 Specification of secrets
A mechanism shall be provided to verify whether the extracted face characteristic
template satisfies the corresponding quality measurement.
When secret information, for example, face characteristic template used for identity
authentication is generated by the face recognition system, the system shall be able
to generate secret information that meets the quality requirements for secret
information. The quality of secret information includes the template size. The
requirements for the quality measurement of the secret information shall be formulated
by the security administrator.
6.1.6.8 Authentication failure
6.1.6.8.1 Basic requirements
By pre-defining the value of unsuccessful authentication attempts (including the
threshold of the number and the time of attempts), and explicitly specifying the
measures that shall be taken when this value is reached, the processing of
authentication failure is implemented.
6.1.6.8.2 Failure determination
During the recognition process, when the following situations occur, the system
determines that the recognition fails:
a) Device failure: the face collector is malfunctioning and cannot successfully
capture images;
c) After the deregistration, the face data in the memory must be destroyed and
cannot be repeatedly used. It needs to be collected again for the next use.
6.2.5.3 Face data registration and loading
When loading face data during the face data registration process, this function shall:
a) Establish security strategies, modes and access control mechanisms for the
loading of collected data among different data sources and different security
domains;
b) Ensure the correctness and consistency of data during the loading of face
data;
c) Ensure the security protection of data during the loading of face data;
d) Record and store the processing of personal information data, for example,
human face, during the loading of face data;
e) The failure recovery method and mechanism for data loading shall be
established; it shall be equipped with the capability of handling loading
data consistency detection and problem control shall be equipped.
6.2.6 User authentication
6.2.6.1 Authentication timing
Before the actions required by the security function of the face recognition system are
executed, firstly, the user who is required to execute the actions shall be successfully
authenticated.
6.2.6.2 Face verification
If the function of face verification is provided, then, the following functions shall be
possessed:
a) During face verification, UID shall be provided;
b) In accordance with the user’s identity information, retrieve the user’s face
template;
c) Execute the data packet verification function to check the integrity of the
user’s face template;
d) Execute the data packet verification function to check the integrity of
the user’s collection sample;
e) Compare the face sample characteristics collected and generated in real time
c) Forgery of paper masks: it shall be able to detect or prevent the counterfeiting
of using most paper masks on human faces;
d) Anti-video forgery: it shall be able to detect or prevent the use of splicing,
replacement and video remaking for forgery;
e) Anti-face CG synthesis forgery: it shall be able to detect or prevent the
use of CG technology to synthesize single or multiple face images into
face videos or 3D face models for forgery;
f) Anti-prosthetic mask forgery: it shall be able to detect or prevent
counterfeiting of using most human face 3D prosthetic masks (resin
masks and silicone masks);
g) When the above attacks or unauthorized operation events occur, the service
shall be cancelled, and an alarm shall be triggered.
6.2.6.7 Decision-making feedback protection
The face recognition decision-making feedback protection shall satisfy the following
requirements:
a) In accordance with the face recognition decision-making strategy, return the
face recognition comparison results; protect the integrity of the feedback
results;
b) During the recognition process, the feedback information provided to the user
shall be prevented from disclosing the user’s face characteristic information
data.
6.2.6.8 Specification of secrets
A mechanism shall be provided to verify whether the extracted face characteristic
template satisfies the corresponding quality measurement.
When secret information, for example, face characteristic template used for identity
authentication is generated by the face recognition system, the system shall be able
to generate secret information that meets the quality requirements for secret
information. The quality of secret information includes the template size. The
requirements for the quality measurement of the secret information shall be formulated
by the security administrator.
6.2.6.9 Authentication failure
6.2.6.9.1 Basic requirements
By pre-defining the value of unsuccessful authentication attempts (including the
or, there is no user candidate in the stored face template during face
recognition, then, warning message shall be provided;
b) When forged recognition images, recognition data, or, copied and
unauthorized saving of images and data, or, non-live faces or unauthorized
database operations are detected, alarm messages shall be provided.
7 Performance Requirements
7.1 Basic-level Requirements
7.1.1 Face registration
The system’s face registration failure rate shall be not greater than 1%.
7.1.2 Face verification
When the false accept rate is 0.1%, the false reject rate shall be not greater than 5%.
7.1.3 Capabilities of living body detection and prevention
7.1.3.1 Types of attack
The system shall have defensive measures against the following types of attacks:
---Basic-level living body detection (static attack), which can prevent the following
means of attack: printed ordinary face photo, high-definition face paper photo,
face photo replayed on mobile terminal screen and paper mask.
7.1.3.2 Normal pass rate
The normal pass rate of the system’s living body detection shall be not less than 95%.
7.1.3.3 Attack reject rate
The attack reject rate of the system’s living body detection shall be not less than 99%.
7.2 Enhanced-level Requirements
7.2.1 Face registration
The failure rate of the system’s face registration shall be not more than 0.1%.
7.2.2 Face verification
When the false accept rate is 0.01%, the false reject rate shall be not more than
5%.
6) Counterfeit face masks;
7) Forged characteristic data or tampered identification result data, user
attribute data and configuration management data;
8) Attempts to save face images;
9) Unauthorized storage of characteristic data;
10) Unauthorized database operations.
b) Audit record shall at least include: the date and time of event, the user, the
type of event, whether the event is successful, and other audit-related
information.
In the log records, there shall be no plain text of face characteristic templates,
private keys, symmetric keys and other security-related parameters.
The audit function component shall be able to associate auditable event with
the identity of the user who initiated the event.
c) For identity authentication events, audit record shall include the source of
request (for example, device identifier).
8.1.1.2 Security audit review
In accordance with different requirements for security audit, security audit review is
divided into:
a) The audit function component shall provide the administrator with the
capability of reviewing all information in the log.
b) The audit function component shall provide the reader with log information in
a mode suitable for reading and interpretation.
8.1.1.3 Security audit event selection
The audit function component shall be able to select or exclude auditable events in the
audit event set based on the following attributes:
User ID, type of event, subject ID, object ID, etc.
8.1.1.4 Security audit event storage
In accordance with different requirements for security audit, security audit event
storage is divided into:
a) Storage of protected audit trails: the storage of audit trails is properly protected,
faces; satisfy the requirements for data confidentiality protection;
b) Utilize the storage access control module to implement the face data user
identification and authentication strategy and data access control strategy;
implement related security control measures; prevent unauthorized access to
user face data.
8.1.2.3 Data transmission security
Corresponding security control measures that satisfy the data transmission security
strategy shall be adopted, for example, data encryption, so as to protect the
transmission of face recognition data.
8.1.3 Personal information protection
Citizens’ personal privacy information, for example, user face template, shall be
protected, which includes, but is not limited to the following functions:
a) No association protection: prevent the association with the stored face
template data through the application or database;
b) Confidentiality protection: prevent unauthorized users from accessing the face
template data;
c) Residual information protection: it is requested that the system’s security
function shall be able to ensure that when allocating or recycling resources of
a defined object within the scope of security control, the residual information
is unavailable.
8.1.4 Timestamp
The system’s security function shall be able to provide a reliable timestamp for its own
application.
8.1.5 Backup and recovery
The system shall have the function of backup and recovery. When there is a fault that
causes information loss during the system operation, it shall perform information
recovery. When there is a fault that causes system failure during the system operation,
it shall perform system recovery.
8.1.6 Security management
The system shall provide role definitions of system administrator, security administrator
and audit administrator.
System administrator: install, configurate and maintain the system; establish and
manage user accounts; execute system backup and recovery.
There are two types of subjects in the system: one is privileged users, including system
administrators, system security officers and system auditors; the other is system
processes that handle specialized transactions.
The object in the system refers to the object that can be operated by the subject,
including the object of image processing and data storage, and the process of user
service. The former mainly includes: registered face templates, face collection samples
and recognition results. The latter mainly includes: system administrator operation
process, database operation process, security officer operation process and auditor
operation process.
8.2.2.2 Data storage security
This function shall:
a) Have the capability of encrypted storage of personal information like human
faces; satisfy the requirements for data confidentiality and integrity protection;
b) Utilize the storage access control module to implement the face data user
identification and authentication strategy and data access control strategy;
implement related security control measures; prevent unauthorized access to
and tampering of user face data;
c) Have the capability of face data backup and corresponding recovery
control measures.
8.2.2.3 Data transmission security
This function shall:
a) Adopt corresponding security control measures that satisfy data transmission
security strategies, such as: secure channel, trusted channel and data
encryption, etc.;
b) Have the capability of identity authentication of the main body at both
ends before constructing the transmission channel;
c) Have the capability of detecting the integrity of transmission data and
corresponding recovery control measures;
d) Support data authenticity detection; the signature cryptographic
algorithm and combination algorithm specified by the state shall be
adopted to authenticate the source of data.
8.2.3 Personal information protection
Citizens’ personal privacy information, for example, user face template, shall be
Appendix B
(informative)
Security Description of Remote Face Recognition System
B.1 Protected Assets
B.1.1 Purpose of description
The security issue descriptions, security objectives and security demands described in
this Appendix are all for the protection of the protected assets described in this
Standard.
B.1.2 Type of user data
B.1.2.1 Overview
User data refers to data generated by or for users. The data does not affect the
operation of the system’s security functions.
B.1.2.2 System configuration data
System configuration data of face collection module, face recognition module and face
comparison strategy module.
B.1.2.3 Face image data
Face image data is collected by the system.
B.1.2.4 Face processing data
Face feature item data, face template data and face matching result data generated
by the system for the output of face recognition results.
B.1.2.5 Output data
During the recognition process, manually output data, for example, identity information
input by the user during the registration.
B.1.2.6 Transmission data
Transmission data includes:
a) Data transmitted between the collection module and the processing module;
b) Data transmitted between the face database and the comparison module;
various security threats usually encountered by information systems.
B.2.2 Security threat analysis of face recognition system
The main security risks of the face recognition system in living body detection, face
quality detection, face template registration and face comparison process are: user
counterfeiting, counterfeiting, server counterfeiting, and information leakage of face
data and face template (characteristic), vulnerability of identity authentication protocol
(such as: man-in-the-middle, replay attack, etc.). See the details below:
a) Living body detection
The function of living body detection generally runs on the user terminal.
There are risks, such as: the vulnerability of the detection algorithm and the
security vulnerability of the software itself. Generally speaking, the person in
front of the camera is verified to be a real person, instead of forged photos or
videos, through detection or challenge. If the detection algorithm is relatively
vulnerable, it is highly possible that it will be deceived by the attacker.
In addition, living body detection software runs on the user terminal, for
example, mobile phones. If the software itself is not properly protected, it can
be easily analyzed, cracked and tampered by an attacker, who can bypass
the living body detection. Some living body detection software need to
consume excessive resources. Due to the influence of the performance of the
user terminal, the detection performance may decline.
b) Face quality detection
Face quality detection is a function of auxiliary recognition that runs on the
user terminal, and its purpose is to obtain ideal face images.
There are risks, such as: vulnerability of detection algorithm and security
vulnerability of the software itself.
c) Template registration
Face template registration includes face image transmission, face biometrics
extraction and face biometrics storage process. It is an important process of
face recognition and authentication. There are risks, such as: sniffing during
the transmission process, information leakage of the biometric database and
counterfeiting on the server side.
Meanwhile, there are also risks of the vulnerability of face biometrics-based
identity authentication protocol (such as: man-in-the-middle, replay attack,
etc.).
d) Face comparison
---It is assumed that he identity of registered users can be verified through the
correct process.
---The administrator is trustable; has been formally trained; follows the
administrator’s guide.
---The system shall satisfy the environmental conditions of operation, including the
detection of face recognition environment (light, position, angle, distance and
occlusion, etc.), and the environment detection of face auxiliary factors
(voiceprint and voice, etc.).
---The system shall satisfy the hardware conditions of operation.
B.4 Security Objective
B.4.1 Overview
The face recognition system provides an identity authentication mechanism, in which,
the human user subject is a visitor. Its security purpose is to provide a solution to
defend against system security threats.
B.4.2 Security objective for evaluation object
B.4.2.1 Prevent unauthorized disclosure and modification of system
configuration data and face processing data
The various modules of the system shall protect the system configuration data and
face processing data, so as to prevent unauthorized disclosure and modification.
Example 1: identification and authentication of the operating user.
Example 2: division of different permissions for different operations.
B.4.2.2 Prevent forgery, repudiation and unauthorized changes of input data and
transmission data
The various modules of the system shall protect the input data and transmission data,
so as to prevent forgery, repudiation and unauthorized changes.
Example 1: information transmission shall identify and authenticate the communication
party, and the identification shall be compared with the previous settings.
Example 2: information transmission shall correctly identify the transmission data.
However, when different components are physically deployed in the same
environment, the identification and authentication of the communication party
may adopt a mode different from the identification and authentication during
network transmission, or, the transmission data may no longer be
authenticated.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|