Security Basics mailing list archives
RE: Biometrics
From: "Brunner, Mark" <MBrunner () tor fasken com>
Date: Wed, 13 Jul 2005 13:40:38 -0400
Something else worth talking about is the methods used to shield the authentication information while in transit. Now, it has been a long long time since I looked at fingerprint scanners. Is it still common practice to store a string representing a password and upon authenticating the print against a locally stored fingerprint, or a remotely stored fingerprint marker, to send that string in plain text or a never changing encryption mechanism? The issues I was most concerned about (unless in the last few years it has been overcome) were capture and playback, local versus remote authentication, false positives, false negatives, and encryption of the marker in storage and in transit. Cheers, Mark -----Original Message----- From: Eduardo Kienetz [mailto:eduardok () gmail com] Sent: Tuesday, July 12, 2005 7:13 PM To: security-basics () securityfocus com Subject: Re: Biometrics On 7/12/05, Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net> wrote:
On 2005-07-08 Trevor Jennings wrote:Hi, I have a bank customer who wants to roll out a biometric (fingerprint) solution in an AD 2003 enviorenment for his branch sites. His primary goal is to reduce password administration and secondary goal is to provide more secure authentication. Does anyone know of any banks that have implemented such a solution? Has anyone had experience with 'digital persona's product? Any thoughts on bio-metric vendors, reviews or even ideas about token based auth (remember password emimination Is the key).Not an answer to your question, but some points you (and your customer) might want to consider, since biometric authentication has various security-related issues: 1. With biometrics you always have to find a balance between false accepts (wrong person get's access) and false rejects (valid user doesn't get access). 2. Fingerprints can be easily forged [1], and people leave their marks around everywhere they go. 3. How will you handle a biometric token (i.e. fingerprint), that gets compromised? People usually have only ten fingers.
Just a clarification here... This is not a problem anymore... there are new fingerprint (even whole hand) scanners that not only scan your finger/hand, but also measure temperature/pulse (to make sure the hand is alive :). Besides that if you use password-based auth, the "thief" would just need to threat you that... for example he'll cut your finger if you don't tell him the password... ;) etc. One could even combine the scanning of BOTH hands to authorize. I have experience with using eyeD hamster, which, at that time I was working with it, was quite good. In fact, I've done the programming/integration with an application login. EyeD hamster used (again, at that time ~2 years ago) to store a WideString as your finger representation. I know there are systems where the image of your finger is stored. That finger record representation would be also interesting to discuss. http://www.pcmag.com/article2/0,1759,88200,00.asp http://www.secugen.com
[1] http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Regards, -- Eduardo Bacchi Kienetz LPI Certified - Level 1 & 2 http://www.noticiaslinux.com.br/eduardo/
Current thread:
- Biometrics Trevor Jennings (Jul 11)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 12)
- Re: Biometrics Eduardo Kienetz (Jul 13)
- RE: Biometrics Jean François Quéralt (Jul 18)
- Re: Biometrics Chris Douglas (Jul 18)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 18)
- Re: Biometrics Eduardo Kienetz (Jul 20)
- Re: Biometrics Eduardo Kienetz (Jul 13)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 12)
- <Possible follow-ups>
- RE: Biometrics Vinsik, Steven C (Jul 12)
- RE: Biometrics Vinsik, Steven C (Jul 13)
- Re: Biometrics Ansgar -59cobalt- Wiechers (Jul 18)
- RE: Biometrics Brunner, Mark (Jul 18)
- RE: Biometrics Vinsik, Steven C (Jul 20)