How to evaluate a video identification solution for being included in the CPSTIC / CCN - STIC 105 catalogue

Blog

28
- Sept
2022
Posted by: Javier Tallón
[Certification]
How to evaluate a video identification solution for being included in the CPSTIC / CCN - STIC 105 catalogue

There is no denying the recent boom in the use of video identification solutions as a method to enable the management of all kinds of procedures, thus eliminating the need to be present in person. Sectors such as banking, insurance or legal are gradually increasing the use of video identification software in their day-to-day business.

For this reason, the Spanish Ministry of Economic Affairs and Digital Transformation, in BOE núm. 115, of 14 May 2021, regulated remote video identification methods for the issuance of qualified electronic certificates. This forces the providers of this type of services to validate their solutions in the terms established in Anexo F11 de la Guía de Seguridad de las TIC CCN-STIC 140 of the National Cryptologic Centre, by means of product certification, with a deadline of 1 July 2022 for obtaining this certification, a period that was extended to 1st of January 2023.

What is exactly a video identificatin product?

According to anexo F.11 – M: Herramientas de Videoidentificación de la Guía de Seguridad de las TIC CCN-STIC 140: “they arise in response to the need to establish mechanisms for remote authentication and identification, in dorder to contribute to reducirng the number of times that citizens have to travel to carry out procedures, without affecting their rights".

Main characteristics of a video identification product.

There are common characteristics in this taxonomy of products, as reflected in this annex, among which we can find:

  • Modular composition:They are usually composed of different modules with differentiated functionalities: data capture module and processing and comparison module (biometric engine).

  • Non-absolute comparison: The result is not reflected in two possible values, e.g. pass/fail, but is expressed in percentages (either coincidence or difference).

  • Assisted or unassisted process:The identification process can be carried out in two ways, the main difference being that the operator is an active part and makes the decision (assisted or synchronous) or unassisted (asynchronous), in which case the final decision is made by the tool itself. When the process is performed unassisted, it is the operator who reviews the evidences and makes the final identification decision.

  • Recording and storage of evidence:
    • This type of solution allows both capturing data and recording the identification process to later store it in a database and index it.

    Evaluation requirements applied to video identification tools.

    CCN establishes a series of fundamental security requirements for the evaluation of each product family.

    The requirements shown below are those that apply to the family of video identification tools, highlighting the most specific ones for this type of products, contained in the security functionality "Video identification requirements". . In this case, we can find the specific requirements for this taxonomy in the Anexo F11 - M: Herramientas de Videoidentificación de la Guía de Seguridad de las TIC CCN-STIC 140.

    Specific evaluation tests for the biometric module

    The following Technical Instruction provided by the certification body (CB) of the CCN must be followed to perform the evaluation tests for the biometric module (MEB).

    This covers up to hasta 8 tests to be performeds covering different types of biometric and cunctional attacks as detailed below:

    P1.2M: Verify successful verification under different environments

    The objective of this test is to to verify that the product works correctly in the usual use cases, assuming a cooperative use and showing the corresponding proof of life. . For this purpose, 6 reliable subjects are selected as defined by the CCN_MATCH tool which asks for a minimum % dissimilarity between them.

    The expected outcome of these video identifications should be successful as the product should detect that the reliable user who is being identified is the one who claims to be.

    P1.6: Check that the product verifies proof of life

    The objective of this test is to check if the product verifies the proof of life (the product asks you to smile, raise your hand, etc.) For this purpose, the evaluator will go through the whole video identification process, but when he/she reaches the step of showing the proof of life, he/she will stand still without doing it.

    In this way, if the final result of the video identification is successful, the product will be failing in this test as it will lack proof of life where it cannot demonstrate whether the user being identified is alive or not.

    P3.1: Impostor presentation attacks

    The objective of this test is to check that the product is not vulnerable to impersonation of a reliable user by an attacker who has a certain % of resemblance between the reliable user using the CCN_MATCH tool as seen below.

    The attacker will perform the whole identification process and will check if the final result of video identification of the product is successful or not, being unsuccessful the favourable result for this test.

    P3.3.2: Presentation attacks using videos

    The purpose of this test is to check that the product is not vulnerable to the impersonation of an reliable user by an attacker using a video of the reliable user that was previously being identified.

    The attacker must achieve a synchronism between the video of the user and the exact moment of the identification process in order to display the proof of life.

    The expected result of this video identification should be unsuccessful as the product should detect that what it is seeing is a pre-recorded video of a video identification and not a real scenario.

    P3.3.3: Presentation attacks using very low-cost masks

    The purpose of this test is to check that the product is not vulnerable to the impersonation of a trustworthy user by an attacker using a low-cost mask, such as a cardboard or cloth mask, as shown in the following image.

    The tester must perform the whole identification process showing the proof of life with the low-cost mask and will check if the final result of the video identification of the product is successful or not, being unsuccessful the positive result for this test.

    P3.3.4: Presentation attacks using advanced masks

    The purpose of this test is to to check that the product is not vulnerable to the impersonation of a trustworthy user by an attacker using an advanced mask csuch as professional and realistic masks like the ones shown in the following image.

    The tester must perform the whole identification process showing the proof of life with the advanced mask and will check if the final result of the video identification of the product is successful or not, being unsuccessful the positive result for this test.

    P3.3.5: Presentation attacks using make-up

    The purpose of this test is to check that the product is not vulnerable to impersonation of a reliable user by an attacker using make-up to resemble the face of the reliable user as shown in the image below.

    The made-up attacker must perform the whole identification process by showing the proof of life and will check if the final result of the video identification of the product is successful or not, being unsuccessful the positive result for this test.

    P3.3.6: Attacks using Deepfake computing tools

    The purpose of this test is to check that the product is not vulnerable to impersonation of a reliable user by an attacker using Deepfake software tools.

    As can be seen below, the tester has trained a model of the reliable face of the user to successfully impersonate the user.

    The attacker with Deepfake enabled must perform the whole identification process by displaying the proof of life and will check if the final result of the video identification of the product is successful or not, being unsuccessful the positive result for this test.

    Video Identification product evaluation, we can help you

    As an expert laboratory in the evaluation of this taxonomy of products under the LINCE methodology, we have the necessary expertise should you wish to evaluate your product and include it in this category.

    As a leading LINCE assessment laboratory, our experience and training will help you to make the certification process as smooth as possible, , reducing the time and resources required by our clients.

    If you want to obtain a valid cybersecurity certification for your video identification solution, we will be happy to help you.

    tags
    Javier Tallón/Technical Director

    Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

    In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


    Contact

    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
    RECENT POSTS
    How to enter ENS category high, stay in the catalog and add new versions of my product
    April 23, 2024
    How to enter ENS category high, stay in the catalog and add new versions of my product
    jtsec - Our LINCE 2023
    Febr 6, 2024
    jtsec - Our LINCE 2023
    We wish you a happy and cybersecure 2024
    Dec 19, 2023
    We wish you a happy and cybersecure 2024
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    Dec 14, 2023
    How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
    How to include your product or service in ENS ALTA.
    Oct 31, 2023
    How to include your product or service in ENS ALTA.
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Sept 19, 2023
    Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
    Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration
    Augst 23, 2023
    Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration
    New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?
    May 9, 2023
    New cryptographic evaluation methodology created by CCN, how does it apply and what does it consist of?
    jtsec achieves ENS High Certification.
    May 1, 2023
    jtsec achieves ENS High Certification.
    Common Criteria Statistics Report for 2022
    March 20, 2023
    Common Criteria Statistics Report for 2022
    CATEGORIES