1. Introduction

This document an its child documents contain a toolbox of Presentation Attack Instruments (PAI) for various biometric modalities. This toolbox shall be used to test the PAD functionality of a TOE during an evaluation in compliance to [PP] in the context of the assurance classes. It should be noted that - while there may be some overlap to the area of penetration testing - this toolbox has not been developed for the use in the context of the assurance class AVA.

This toolbox document shall be used to test for the implementation of the SFR FIA_MBV_EXT.3 from [PP]. It contains content for the following biometric modalities:

  • Eye

  • Face

    • 2D Image

    • 3D Image

  • Fingerprint

  • Vein

This document presents, at a high level, the expected methodology of the PAD functionality tests for all modalities, including preparation, test subjects and the pass/fail criteria.

1.1. Independent vs Vulnerability Testing

It should be noted that the toolbox as contained in this document focuses on a functional approach of testing as required by the assurance component ATE_IND.1. For this reason, it only addresses the tests as performed by the evaluation laboratory. Each toolbox contains the state of the art of the Presentation Attack Instruments of its respective modality. A TOE compliant to the [PP] is expected to reliably recognize these PAI. The functional approach of the toolboxes is however not suitable for any test in the context of AVA_VAN.

2. Overall Test Approach

As it can not be assumed that every TOE will return a dedicated result for the PAD functionality, success for an presentation attack is defined for the whole biometric functionality, including the matcher. This means that - in order to successfully overcome the TOE by the use of a PAI - a genuine person (the tester) has to be enrolled into the TOE, an artefact has to be created for the corresponding biometric modality of the tester and the artefact has to produce a match (i.e. a successful verification). The TOE shall be operated according to its guidance documentation and specifically all possbible threshold settings for the TOE (for the matcher as well as for the PAD) shall be set according to its guidance documentation.

2.1. Subjects

For the purposes of the PAD testing each test will use one test subject for the creation of PAI.

Note

As part of AVA_VAN.1 testing it is possible that additional test subjects may be used as determined by the laboratory analysis of the TOE. The number of subjects used under AVA_VAN.1 testing is not covered by this toolbox.

2.2. Preparation

Before the actual test can start, the following pre-requisites need to be met:

  • It has to be ensured that the test subject whose biometric data is used to produce the artefacts for testing is enrolled into the TOE.

    • Successful enrollment needs to be documented and verified by performing at least 5 genuine transactions with the TOE. No errors shall occur during the 5 genuine transactions.

    • If any errors occur, the enrollment process shall be repeated. In case of repeated errors, it should be considered to use a different biometric characteristic (this could mean to use a different finger of a subject or even use a different subject).

    • In case the test subject cannot succeed to get sucesfully authenticated by the TOE within 5 tries (and switching to another biometric characteristic did not help or was not possible), the test subject shall be exempt from further testing.

Each toolbox will provide an inventory of tools needed to perform the tests. These tools must be available to complete the testing process. The tools are described and not picked. For example, a class of printer or camera is specified, but not a specific printer or camera model.

2.3. PAI Production

The production of the PAI for each toolbox shall be performed as follows:

  • Each toolbox is accompanied by a table that identifies the number of artefacts that shall be produced per PAI (the default is 3)

  • The tester shall produce the required amount of artefacts

  • The production of each artefact shall be documented in a manner that the production can be reproduced.

  • Each produced artefact shall be identified by a unique identifier. This identifier shall be be attached to the artefact at all times (as far as this is possible without destroying the artefact).

2.4. Testing

The actual test of each PAI shall be conducted as follows:

  • The artefact shall be applied to the TOE 10 times.

    • If the TOE matches the previously enrolled user by the use of the artefact, the attempt is considered a failed attempt.

    • If the TOE rejects the attempt, this is considered being a passed attempt.

2.5. Pass/Fail Criteria

The following pass criteria shall be applied if no other criteria are defined in the individual modality toolbox documents.

A TOE passes the test if and only if it reliably defeats the use of all artefacts that have to be built according to the toolbox. This means that none of the artefacts must be able to reproducibly overcome the TOE.

To reproducibly overcome the TOE by the use of a certain artefact in the outlined test scenario is defined as follows:

Table 1. Pass/Fail Criteria
Attempts PAI Matches Outcome

10

0

TOE passes this PAI

10

1

TOE passes this PAI

10

2

Additional ten (10) attempts are allowed with this PAI

20

2

TOE passes this PAI

Up to 20

3 or more

TOE fails this PAI

The maximum number of attempts allowed with a PAI is twenty (20). If three (3) matches are made to the PAI, the test fails (further attempts are not necessary even if 20 total attempts have not yet been made).

3. Literature

  • [PP] collaborative Protection Profile Module for Mobile biometric enrolment and verification - for unlocking the device