RSA Laboratories' Public-Key Cryptography Standards site [external link]
Crypto API Documentation
within the Microsoft Platform SDK. The documentation is included in the
MSDN Library [external links]
BioID is a biometric system and therefore has to deal with the biometric data of individual persons. This data has to be protected from unauthorized access. BioID uses various mechanisms to fulfill this delicate issue.
First of all BioID signs all of its data objects. BioID verifies the signature before any action is performed with a data object. The signature contains a timestamp that is also checked for objects that have to be just in time.
Further on BioID encrypts most of its data objects. For some objects this happens as soon as they are created, e.g. Features, other data objects are encrypted, when they are sent to the server, e.g. Recordings. Note that the implemented server proxies additionally use secure network protocols, so we have a second encryption layer as soon as data is sent over a network.
Not only user data has to be secured, but there must also be a mutual trust between BioID clients and servers. For BioID clients to trust a BioID server, BioID Server Certificates are used. If a valid BioID server certificate is installed on a client computer, the client will trust this server and is able to communicate to this server using the public key stored in the certificate. On the other hand for a BioID server to accept a BioID client call, the client and its public keys must be known by the server. Only BioID administrators are allowed to add clients to the server database.
So far we have assured that our data objects are really BioID objects that the objects are encrypted and that valid BioID clients are connected to valid BioID servers. But now we have to ensure that only users that are allowed to see specific data will be able to get these data objects, e.g. a user is allowed to review his own patterns but he should not be able to see another user's patterns. Here we have to rely on the system security, this means that a BioID user can be linked to a system user account of the underlying operating system. A BioID Server then checks an incoming process token against the user's SID and/or against the SID of the "BioID Admins" group. Only when the SID is enabled within the token, access is granted. Note, that anonymous users will never have any access to the BioID database.
RSA Laboratories' Public-Key Cryptography Standards site [external link]
Crypto API Documentation
within the Microsoft Platform SDK. The documentation is included in the
MSDN Library [external links]