Comments on the Human-Authentication API may be sent to:

Major John Colombi, Ph.D., USAF

U.S. Biometrics Consortium

c/o NSA/ R22, Suite 6516

9800 Savage Road

Fort Meade, MD 20755-6516

or emailed to:

jmcolom@alpha.ncsc.mil

1.0 Scope *

1.1 Purpose *

1.2 Background *

1.3 Overview *

2.0 Architecture *

3.0 Functions *

3.1 Enrollment *

3.2 Matching *

4.0 API Definitions *

4.1 Biometric Technology Functions *

4.2 Biometric Authentication Functions *

4.3 Biometric Utility Functions *

5.0 Service Provider Interface *

5.1 Description *

5.2 User Interface *

5.3 The Enrollment Wizard *

5.4 Update Enrollment *

5.5 Standard Capture Screen *

5.6 Processing Interface *

5.7 Verify Interface *

5.8 LiveVerify Interface *

5.9 Free Memory *

5.10 Technology Specific Parameters *

5.11 Standard Biometric Properties Screen *

6.0 Structures *

6.1 Raw Biometric Data Structure *

6.2 Biometric Identifier Record Structure *

6.3 HA-API Header Structure *

6.4 Biometric Technology Structure *

6.5 BUID Structure *

6.6 Scoring Record Structure *

6.7 Scoring Data Structure *

6.8 Threshold Record Structure *

6.9 Threshold Data Structure *

6.10 Screen Attributes Structure *

6.11 Enrollment Pages Structure *

7.0 Sample message flows *

7.1 Enrollment *

7.2 Verification *

8.0 References *

9.0 Glossary *

9.1 Acronyms *

9.2 Definitions *

Appendix A - Function Prototypes *

Appendix B - Defines *

Appendix C - Enumerated Types *

Appendix D - C++ Classes *

Appendix E - Error Codes, BUIDs and GUIDs *

Appendix F - Scores and Thresholds *

Appendix G - Sample Screens *

REVISION HISTORY

Revision	Date of Issue	Revision Summary
1.0	27 Aug 97	Baseline
1.01	24 Oct 97	Unicode strings, HAAPI function names
1.02	21 Nov 97	Vendor independent
1.03	30 Dec 97	Incorporate mods from pilot implementation: Add function - HAAPIFree Add parameter - lpScreenAttribs Add parameter - lpPages Restructure error codes Break out Biometric Utility function as category Differentiate API from pilot implementation
1.04	2 Apr 98	Incorporate changes agreed at 22 Jan 98 HA-API Steering Group meeting: Add function - HAAPI Update Add function - HAAPIBioProperties Added Score/Threshold Structure and discussion Added support for model adaptation in verify functions Added parameters to several functions to add flexibility Added several clarifying notes Added GUID / Error Code Description Additional sample flows
2.0	22 Apr 98	Feedback from Steering Group - grammatical changes only

The purpose of this document is to define a generic human authentication - application programming interface (HA-API) that can be used to interface computer software applications to a set of distinct biometric technologies for user authentication.

There is interest in the Department of Defense in applying biometrics to the broad area of computer security. One specific area that biometrics can be utilized is user identification and authentication (I&A).

Providing strong user authentication has long been a dilemma for information systems security professionals. Many excellent mechanisms exist today to authenticate one end of a communications link or network to the other. However, these peer-entity authentication mechanisms fail to perform the final step – user authentication. Without strong user authentication, a user has little assurance that the intended recipient actually is at the other end of the communications path.

To accelerate the commercial development of applications that use biometrics for positive identification purposes, it was determined that a generic biometric API was required. Such an API would allow a common set of instructions to be used to integrate a wide range of biometric technologies to many different applications, including computer/network I&A.

To meet the goal of expanding the use of biometrics by allowing for the interchangeability of biometric technologies within a broad range of applications, a two part project was conceived:

1. Define a generic biometric API that can be used to interface a computer software application to a set of various biometric technologies
2. Demonstrate the viability of this API by extending a commercial product, using at least 2 different biometric technology engines, as a proof of concept.

A standard, generic API is needed within the biometric industry for a number of reasons.

One of the inhibitors to the widespread adoption of biometrics has been the hesitancy of system integrators to get "locked in" to a single biometric technology, vendor, or product. Some undergo extensive evaluations to be sure they pick the right biometric, and others adopt a "wait and see" approach. A standard API would allow an integrator to go forward with a tentative selection, programming to the API. Should he later decide that another biometric would be more suitable, it could be substituted with minimal changes to the calling application. In addition to allowing substitution of biometrics, a common API would also provide for leveraging of a single biometric technology across multiple applications as well as allowing one application to integrate multiple biometric technologies using the same interface.

A proof-of-concept was performed which implemented HA-API within a commercial network authentication product with multiple biometric technologies in a Windows-NT environment. This implementation of the HA-API interface successfully completed beta testing in January 1998 and successfully demonstrated the viability of the API.

The HA-API was initially published for public comment on 21 Nov 97 as Ver 1.02. On 22 Jan 98, a HA-API Steering Group was formed and met to discuss comments, enhancements, and support for HA-API as an emerging standard. As a result of the inputs compiled at this meeting, this current version was generated.

One of the basic methods used to maintain the security of a computer or network system is to verify the identity of the user – ensuring that the user is who he or she claims to be. Reliable authentication mechanisms are critical to the security of any automated information system as well as other access control systems. If the identity of legitimate users can be verified with an acceptable degree of accuracy, those attempting to gain access without proper authorization can be denied permission to use the system. Once verified, access control techniques can be applied to mediate that user’s access to specific system resources. In addition, the user’s actions while using the system can be audited.

There are three (3) generally accepted methods for performing user authentication. These are based on:

1. Something the user KNOWS (such as a password)
2. Something the user POSSESSES (such as a card/badge, called tokens)
3. Something the user IS (a physical characteristic, or biometric, such as a fingerprint)

These may be used independently or in conjunction with one another, to further increase the security level of the system.

Passwords. This is the most commonly used authentication mechanism today. However, passwords can be compromised in many ways - they can be forgotten, written down, guessed, stolen, "cracked", or shared.

Tokens. The identity of a user can be proven by requiring that the user demonstrate possession of a physical object that is unique to that user, or group of users. These are usually encoded with information used in the authentication process. Tokens can be lost, forgotten, stolen, given away, or duplicated.

Biometrics. Authentication can be accomplished by measurement of a unique biological or behavioral feature of the user to verify identity through automated means.

Biometric identification exploits the universally recognized fact that certain biological or behavioral characteristics reliably distinguish one person from another. Some examples of these characteristics are speech patterns, DNA, retinal patterns, the topography of the face, and the patterns of friction ridges on an individual's fingertip. A biometric characteristic is tightly bound to an individual. It can't be lost, forgotten, borrowed, stolen and duplicated, or otherwise compromised in the same manner as with ID cards, passwords, or PINs.

Windows-NT is a graphical user interface (GUI) based computer operating system developed by Microsoft Corporation primarily for use on IBM-compatible PCs and servers. It supports a networked, client/server environment. It contains many security features not available in other commercially available operating systems. The Windows NT 3.51 release has been certified to the C2 level of security, requiring minimum user log-in procedures, auditing of security-relevant events, and resource (users, processes, and data) isolation. (See DoD 5200.28-STD, under Section 8.0, References, for further information on C2 security requirements.)

Before a biometric can be used to verify an identity, the user must be "enrolled" in the system. That is, their biometric identifier or template, along with their user ID, must be entered into the database of authorized users. A system/security administrator normally performs this function in order to protect the integrity of the authentication database.

In a password protected system, the system administrator or system security administrator (SA/SSA) would either allow the user to select or would assign the user ID and password. In a biometric authentication system, the biometric identification data for the user must be captured and stored. This entails capturing the raw biometric data, converting it to a biometric identifier or template, and storing it. For example:

Enrolled biometric identifier data is stored in a protected authentication database. In a networked environment, this is usually located at the primary domain controller (PDC) or other authentication server.

To determine if one biometric sample "matches" another biometric sample, they must be compared using a unique algorithm. Generally, the result of this comparison is a "score", indicating the degree to which a match exists. This score is then compared to a pre-set threshold to determine whether or not to declare a match. The comparison is performed using the biometric identifier or template, as opposed to the raw biometric data that is captured.

Two types of matching are generally defined. These are ‘Verification’ and ‘Identification’.

Verification is a one-to-one (1:1) matching of a single biometric sample set (biometric identifier record) against another. Generally, the first sample is newly captured and the second is the enrolled identifier on file for a particular subject. The file sample is retrieved from the database based on a unique subject identifier (such as a User ID). In a user authentication environment, a score exceeding the threshold would return a ‘match’, resulting in the authentication of the user. A score below the threshold would return a ‘no-match’, resulting in the denial of access.

Identification is a one-to-many (1:N) matching of a single biometric sample set against a database of samples, with no declared identity required. The single biometric is generally the newly captured sample and the database contains all previously enrolled samples. Scores are generated for each comparison, and an algorithm is used to determine the matching record, if any. Generally, the highest score exceeding the threshold results in a match. In an authentication environment, if a match is found against any of the authorized users, access is granted.

A third type, sometimes referred to as ‘one-to-few’ matching is performed by executing a series of 1:1 matches against a small sample set. In a user authentication environment using finger imaging technology, the user’s finger image identifier is compared to each of the few authorized users within this group. Access is granted if any of the one-to-one matches is positive.

The approach herein adopted for the human authentication API is to hide to the degree possible, the unique aspects of individual biometric types and particular vendor implementations, products, and devices, while providing a ‘toolbox’ of biometric functions that can be used within a number of potential software applications. Access to this toolbox would be through a set of standard interfaces. Theoretically, biometric components supplied by vendors conforming to this interface specification could then be used within any application also developed to this HA-API definition.

This API is designed for use by both the application developer and the biometric technology developer. To make the integration of the technology as straight-forward and simple as possible (and thus enhancing its commercial viability), the approach taken was to hide or encapsulate to the extent possible the complexities of the biometric technology. This approach also serves to extend the generality of the interface to address a larger set of potential biometric technologies and applications thereof.

A broad range exists as to the level of detail to which such an interface specification could be defined. This range extends from the top-level functions of "Enroll" and "Verify" to the lowest level subfunction involving device manipulations. A level below the top-level functions was selected as being the most useful while remaining the most generic. It is believed that this level will provide the needed commonality without reducing all biometric technologies to the lowest common denominator. That is, without neutralizing competitive features offered by a vendor or product.

This specification is designed to support multiple biometrics, both singularly and when used in a combined or cascaded manner. This is desirable to enhance flexibility to support such implementations as multiple factor authentication.

For this version of HA-API, only one-to-one verification type matching is supported by the biometric API (and thus, so is one-to-few). One-to-many identification matching functions are not generally required in an authentication environment and pose additional challenges and considerations (such as accuracy, response time, adjudication of multiple candidates, and database synchronization issues) that would detract from the current effort. However, the specification was written so as not to preclude the addition of one-to-many identification matching in the future.

The issue of matching scores, threshold settings, and quality scores/thresholds are at this point vendor specific and generally not required for most 1:1 applications and integrators. However, there are some sophisticated developers and some unique applications where this functionality would be useful. Therefore, within the HAAPIInformation function, explicit variables have been defined to allow the setting and reading of these values. Note that the interpretation of these values continue to be vendor specific.

In addition to supporting operational system applications, this API could also be used within non-operational environments (e.g., to support biometric testing) as well. However, the Information function described above would likely be invoked to provide for the condition setting and detailed results usually necessary for any type of rigorous testing. Vendors are encouraged to provide a test mode or toolkit either separately or as an optional function.

In defining the approach, the physical location where the verification function takes place and the location of the identifier database is also a consideration. This API supports either local (workstation) or central (server) verification. To be most generic and to support a client/server environment, it is recommended that the biometric database be located at the central server. This is the cleanest implementation and supports either local or server verification.

As each system and application will employ different database types and designs, database related functions (such as the addition, deletion, and retrieval of biometric data) have thus been omitted from this API specification.

It is the intent that this API be as open as possible, both in terms of an open systems architecture and accommodation of as wide a range as possible of biometric products and vendors and a broad range of biometric applications. It is not intended to be platform or device dependent. For convenience, and to support the first prototype implementation, the software environment is currently defined in terms of a Win32 client/server environment using a "C" language based.

Use of encryption to protect biometric and other authentication data during transmission and storage is highly encouraged. No explicit cryptographic functions/parameters are included within this API for several reasons. First, since the application is responsible for data storage, it should be responsible for encrypt this data at all points where it may be vulnerable in the computer, when stored, and when transmitted. For data transmitted from a biometric device or stored therein, this is the responsibility of the BSP vendor. Secondly, cryptographic API’s already exist which can provide the necessary encryption capability.

In order for an application to identify and distinguish between installed biometric technologies, each vendor/product pair is to be identified by a Biometric Unique Identifier (BUID). Vendors generate their own unique BUIDs using the Globally Unique Identifier (GUID) creation methods, which ensures that no two 128-bit values is generated twice. Note that once a BUID is generated for a vendor/product pair (i.e., a specific BSP), it is fixed for that product, although a vendor may choose to use a new BUID for a major revision to that product, at their discretion.

This HA-API specification defines interfaces at two levels. The first is the application program interface (API). These functions are called by the software application that will use the biometrics for a particular purpose. The second is the service provider interface (SPI). These functions are provided by the biometric service provider (BSP). Translation from the SPI to the API is provided by the HA-API runtime layer. This is depicted in the figure below.

The HA-API runtime is free software currently available from NRI. Alternatively, the biometric technology vendor or the system integrator may develop it, if desired. When used in a client/server architecture, the implementation would be accomplished as shown below:

The intended system architecture integrating HA-API includes the following:

• Standalone or client/server implementation
• Open System environment
• Local, central, or distributed biometric database
• Support for local or central matching
• Support for multiple biometrics (individually)
• Support for hybrid implementation (in combination)

The salient points of the HA-API architecture are:

1. Application will use the HA-API interface functions to select/configure the specific biometric technology used for user authentication process.
2. The HA-API interface will include API functions to configure the specific required biometric capture device and the associated biometric engine for the biometric authentication process.
3. The low level device driver software for communicating with the biometric devices and the biometric engine software will be part of the software package provided by the specific biometric vendor.
4. Application will be responsible for maintaining the specific biometric Identifier database along with User ID related information in the NT Database for the user authentication process.

The primary design objective is to provide multiple biometric based user authentication. This design, will also provide the following operational advantages/enhancements:

• Enhance Interoperability
• Flexibility to upgrade and/or switch biometric technology keeping the same application.
• Flexibility to upgrade and/or switch biometric vendor (for a specific biometric technology) keeping the same application.
• Enhance Security /Reduce Risk
• Ability to add /combine multiple biometric technologies to provide increased security.
• Use of multiple combined biometric technologies to make the system work for universal population and also reduce false accept/false reject errors.

• Standard Biometric human authentication-API interface.
• HA-API will facilitate the integration of a multitude of biometric technologies for user authentication.
• Application will have the flexibility to add/switch/or combine biometric technologies easily without requiring a major software redesign.

The two top-level biometric functions for an authentication or other application are enrollment and verification matching, as described in previous sections. To perform these top-level function, subfunctions are defined that together, when called as API elements, execute these functions. The subfunctions are listed below. API specifications are provided in Section 4.0.

The following functions are used to perform the biometric enrollment function:

and optionally

Memory De-allocation

HAAPIFree

The following functions are used to perform the biometric matching function. Only verification (1:1 matching) is supported by this version of the HA-API.

Memory De-allocation

HAAPIFree

The philosophy underlying Human Authentication-API (HA-API) interface design is to define the minimum set of generic API functions that will be required for providing multiple 1:1 biometric authentication capability for a HA-API compliant application. This interface design assumes that all of the low level functions (including the initialization of the data capture hardware boards for the capture of the biometric input data) and the actual processing /matching functions are handled internally within the biometric vendors’ software libraries and engines.

Based on this assumption, the HA-API interface needs to support the following basic biometric identification functions that are common to all biometric technologies:

Storage of the biometric identifier data is considered an application function.

A set of API functions has been defined for the HA-API interface for supporting multiple biometric authentication capability for the user authentication process. The initial HA-API interface is designed to provide a generic API interface that can support a variety of biometric technologies. A detailed description of the proposed API functions is provided in the remainder of this section. The API interface is designed to support the storage of multiple biometric identifier records for given user to provide increased system accuracy.

The HA-API is broken into three sections: Biometric Technology functions, Biometric Authentication functions, and Biometric Utility functions. The Biometric Technology functions provide the ability to specify Biometric Technologies. The Biometric Technology is later used in processing and verifying biometric data. The Biometric Authentication functions provide the ability to capture, process and match Biometric Data retrieved from different devices and using different technologies. The Biometric Utility functions provide various tools to facilitate programming, including access to vendor specific options.

HAAPIERROR EnumBioTechnology(LPBIOTECH pBioTechEnum,

LPDWORD pdwNeeded,