NORMEE Limited.

News

2018.04.11

Received "World-first" Common Criteria Certification as Mobile Biometrics

~Started demonstration test with SBI Trade Win Tech for full use in Fintech~

NORMEE Limited(Main office :Tokyo, Chuo-ku Representative: Eizaburo Iwata, hereinafter refered to as NORMEE) We received the first CC (Common Criteria) certification in the world as mobile biometrics product, Palm Vein Authentication software for smartphones and tablets in Android OS version.
   With fingerprint recognition, face recognition, and iris recognition being built into smartphones, biometrics has become familiar to life. On the other hand, regarding performance such as false acceptance rate(FAR), false rejection rate(FRR) and failure to enroll rate(FTE), it has been pointed out that validity, reliability, and objectivity of these biometric products are insufficient. We have been doing open performance evaluation test, aiming 'biometric product with not the best performance, but the highest reliability'. In addition, we worked early on for CC(Common Criteria) evaluation and certification, which is a security evaluation standard for IT product by a neutral third party, here received the first certification in the world as a mobile biometric product. In the future, more and more overseas biometric product will plan to acquire CC certification after Japan.
Android OS version Palm Vein Authentication software is the only technology in the world with hybrid authentication, extracting palm vein and palm print simultaneously. With the easiness of no exclusive equipment needed, and performance reliability receiving CC Certification, we plan to expand the use in in Fintech especially, such as mobile banking and mobile payments. For starters, we cooporate with JCB in mobile panment and SBI Trade Win Tech in mobile banking.

~ CC(Common Criteria)Certification ~

CC (Common Criteria) certification for biometrics of our product was carried out in accordance with following contents, basing on protection profile for biometrics products, which is newly made by Japan.
(1)Based on international standard for performance evaluation of biometric products, ISO/IEC19795, our company conducted performance evaluation test and calculated false acceptance rate (FAR), false rejection rate (FRR), and failure to enroll rate (FTE), which are key indicators of biometrics performance evaluation.
(2)After confirming whether performance evaluation test is properly conducted by our company, independent evaluation institution performs performance evaluation test independently basing on ISO/IEC 19795, using statistical method to evaluate whether performance presented by our company is valid and determine pass/fail.
(3)In third-party evaluation, to determine pass/fail, attacks are made using counterfeit materials faking bio-information to evaluate vulnerability and resistance toward counterfeit presentation.
In performance evaluation test conducted by our company, measured value of FRR is 0.065%, FAR is 0.000294%, FTE is 0.129534%. In ISO19795, upper limit of 95% confidence interval is adopted in various performance, thus each upper limit became FRR:0.192%, FAR:0.000513%, FTE:0.38342%. On the other hand, validity of performance value from our company is confirmed because of 0(0%) occurance of failure to enroll, false rejection and false acceptance in performance evaluation test of independent evaluation organization. Therefore, our company has published performance as false rejection rate(FRR)0.2%, false acceptance rate(FAR) 0.0006%, failure to enroll rate(FTE) 0.4%.
Additionally, the security requirements definition document called ST (Security Target) of Android OS version Palm Vein Authentication software, will be published in certified product list on IPA(Information-technology Promotion Agency,Japan) website.

~ CCRA(Common Criteria Recognition Arrangement) ~

CCRA is an agreement on mutual recognition of CC evaluation and certification, products certified in CCRA member countries will be treated as CC certified products in other CCRA member countries as well. Android OS version Palm Vein Authentication software is recognized as CC certified product in 28 countries around the world including Japan.

image picture
Source:IPA homepage

~ Start of Demonstration Test Project for Authentication Service with SBI Trade Win Tech ~

SBI Trade Win Tech Co., Ltd. (Head Office: Shinjuku-ku, Tokyo, CEO: Mamoru FUJIMOTO), as a subsidiary of SBI Holdings Inc, engages in system development for financial institutions. To provide ASP service based on Palm Vein Authentication system of Palm Vein Authentication software, which uses camera of mobile device (smartphone and tablet) ,developed by NORMEE, demonstration test project started in April 2018.
Based on results of demonstration test, service in financial institution including SBI Sumishin Net Bank(Head Office: Minato-ku, Tokyo President: Noriaki MARUYAMA) is considered, moreover, usability in various services in non-financial institutions is also being considered.

~ Demonstration Test of Multi-service Using Biometric Authentication with JCB ~

   By cooperative research of NORMEE and JCB Co., Ltd., the only international card brand operating entity from Japan(Head office: Minato-ku, Tokyo CEO: Ichiro HAMAKAWA), and National Institute of Advanced Industrial Science and Technology(President: Ryoji CHUBACHI), demonstration test on server-type multi-service using visible-light Palm Vein Authentication technology is conducted.

[Certified Product Overview]

Certificate No. C0589
Certified Date March 16, 2018
TOE Name Android OS Ver. Palm Vein Authentication software
TOE Version Ver1.00.m01
TOE Type Biometrics Authentication Product
CC Version 3.1r4
Conforming Assurance Requirements EAL2 and additional assurance component ALC_FLR.1
PP Conformance Biometric Authentication Product Protection Profile Ver.1.2(JISEC Certification No.:C0501)

[Glossary]

CC(Common Criteria)certification

CC (Common Criteria) as “Common Criteria for Information Technology Security Evaluation”, as ISO/IEC 15408, is an international technical standard to evaluate whether information-technology-related products have proper security function and whether the security function is correctly implemented. Actual evaluation is based on CEM(Common Evaluation Methodology, common evalutation method, international standarderlized as ISO/IEC 18045) which defines evaluation method, describing evaluation content that evaluator should carry out according to assurance requirements. By this framework, objective security evaluation which is also hardly dependent on evaluator is possible.


Protection Profile

PP (Protection Profile) is a definition document of security requirements for each product area. Because it is not security requirement definition document for specific product, it is more abstract than security requirement definition document. In this evaluation certification, Biometric Verification Product Protection Profile version 1.2 (JISEC certification number C0501)  is applied.

>> For press release in Japanese [PDF]

For more information

Please feel free to contact us for demonstration, interview etc.

Contact

Archives