Bugtraq mailing list archives
RE: Hacking USB Thumbdrives, Thumprint authentication
From: <David.Cross () ngc com>
Date: Tue, 10 Feb 2004 12:26:18 -0700
Fingerprint data is difficult to hash since the comparators are fuzzy in nature. Basically you are dealing with vectors or distances between minutiae (points of interest) and their direction including slant/curve. Minutiae readings will differ slightly with each print sampling. For accuracy each print has to be compared to each sample seeking a match. The matching process can be time consuming. That being said there is a way to fuzzify a representation of the print in a numeric form. Since the algorithms produce an encrypted output of end points and vectors you are left to trying to attach statistical significance to the decrypted version of the algorithm output data. Or you can fuzzify a representation of the image itself as most API's allow capture and storage of a bitmap of the print. The captured prints will have variance in placement on the print window and will collect more or less white-space or skewed position. Prints will also have more or less surface area depending on the pressure applied during the print capture process. (This is why the algorithms look for points of interest on the print and will refuse many finger placements during the print enrollment/verification process.) Since I get paid for figuring out how to index prints I'll keep the secret to myself but you have the basics of what's needed to figure it out with the help of a little high school math. Enjoy~ David Cross P.S. hashing is a bad technique in this case because hash's must produce a unique result that you end up extremely similar inputs having vastly different hash output values. In this case you want to reduce the pool of candidate prints and then do a 1 on 1 comparison of the reduced set. Think more along the lines of averages rather than hashes... Most systems will make you enter a pin or a username and then will do the 1 on 1 comparison because of the time cost of comparing all prints in the database. Some companies sell systems that compare all prints in the database 1 on 1 to the input but you have the issue of buying an expensive server and you give up the two factor safety aspect. -----Original Message----- From: Dave Aronson [mailto:spamtrap.secfocus () dja mailme org] Sent: Friday, February 06, 2004 8:06 AM To: bugtraq () securityfocus com Cc: markus-1977 () gmx net Subject: Re: Hacking USB Thumbdrives, Thumprint authentication On Wed February 4 2004 13:37, markus-1977 () gmx net wrote:
(to the best of my knowledge) there is no hash-function out there that will hash your fuzzy fingerprint to a constant value is it accepts and to something random if it rejects.
Law enforcement agencies use some kind of algorithm to convert fingerprints to a numeric value, so that they can be easily compared. This resulting value could of course be hashed. Question is, is this something that (so far) a human must do, or is it automatable in real time by a reasonably small and low-priced system? -- Dave Aronson, Senior Software Engineer, Secure Software Inc. (Opinions above NOT those of securesw.com unless so stated!) Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org Web: http://destined.to/program http://listen.to/davearonson
Current thread:
- RE: Hacking USB Thumbdrives, Thumprint authentication markus-1977 (Feb 05)
- RE: Hacking USB Thumbdrives, Thumprint authentication Navaneetharangan (Feb 06)
- Re: Hacking USB Thumbdrives, Thumprint authentication Eric 'MightyE' Stevens (Feb 11)
- Biometric systems security [WAS: Re: Hacking USB Thumbdrives, Thumprint authentication] Gadi Evron (Feb 07)
- Re: Hacking USB Thumbdrives, Thumprint authentication Dave Aronson (Feb 09)
- Re: Hacking USB Thumbdrives, Thumprint authentication Eric Murray (Feb 11)
- <Possible follow-ups>
- RE: Hacking USB Thumbdrives, Thumprint authentication David Brodbeck (Feb 09)
- RE: Hacking USB Thumbdrives, Thumprint authentication Charles Clancy (Feb 11)
- RE: Hacking USB Thumbdrives, Thumprint authentication Lyal Collins (Feb 16)
- RE: Hacking USB Thumbdrives, Thumprint authentication Charles Clancy (Feb 11)
- RE: Hacking USB Thumbdrives, Thumprint authentication David.Cross (Feb 11)
- RE: Hacking USB Thumbdrives, Thumprint authentication Navaneetharangan (Feb 06)