Common Criteria Evaluations of Bbiometrics

BEAT Project

Over the last four years TUViT participated in the BEAT Project - a project funded under the Seventh Framework Programme of the European Commission. The project has been successfully finalized in March 2016 and its results are spreading into the relevant communities. As part of the project, 4 partners developed a guide for the Common Criteria evaluation of biometric technology, considering all the current aspects of Common Criteria and biometric technology.

Biometric systems today are widely used in areas that require a certain level of security and assurance about the used technology. Classical examples for such applications include access control systems to high security areas (like power plants or data centres) and border control systems. Those areas usually require a high degree of assurance in that the used technology is operating as specified and as needed to obtain a secure system. In order to achieve this assurance, independent evaluations and certifications are carried out for the important components of a system or the whole system. The de facto standard for evaluations and certification of components and systems in the area of Information Security are the Common Criteria for Information Security evaluation (www.commoncriteriaportal.org). While most of the relevant components used in important areas have been independently evaluated and certified, this is often not the case for the biometric systems.

The reasons for this lack of assurance are diverse but one important aspect is that up to today there is no comprehensive guide existing for the evaluation of biometric technology. Evaluations of biometric components in the past have shown that the Common Criteria are in principle applicable to biometric technology. However, some intrinsic aspects of the biometric technology require interpretation of the criteria. Without a comprehensive and accepted guidance those interpretations will have to be taken in the course of each evaluation. This leads to a lack of comparability of evaluations taken by diffevent evaluation laboratories and also leads to a high degree of uncertainty for the developer.

This document - the deliverable D6.5 - aims to provide the evaluator of a biometric system with guidance on the intrinsic characteristics of the biometric technology and how they should be treated with during evaluation. It aims to provide a comprehensive guide on the evaluation of biometric components and systems according to the Common Criteria. The document is also directed to developers of biometric systems who aim to undergo an evaluation according to Common Criteria. As some of the requirements from the criteria are extended, the developer should be aware of this guidance before starting an evaluation.