RE: Hacking USB Thumbdrives, Thumprint authentication

[<David.Cross () ngc com>]

Fingerprint data is difficult to hash since the comparators are fuzzy in nature.  Basically you are dealing with 
vectors or distances between minutiae (points of interest) and their direction including slant/curve.  Minutiae 
readings will differ slightly with each print sampling.  For accuracy each print has to be compared to each sample 
seeking a match.  The matching process can be time consuming.

That being said there is a way to fuzzify a representation of the print in a numeric form.  Since the algorithms 
produce an encrypted output of end points and vectors you are left to trying to attach statistical significance to the 
decrypted version of the algorithm output data.  Or you can fuzzify a representation of the image itself as most API's 
allow capture and storage of a bitmap of the print.   The captured prints will have variance in placement on the print 
window and will collect more or less white-space or skewed position.  Prints will also have more or less surface area 
depending on the pressure applied during the print capture process. (This is why the algorithms look for points of 
interest on the print and will refuse many finger placements during the print enrollment/verification process.)

Since I get paid for figuring out how to index prints I'll keep the secret to myself but you have the basics of what's 
needed to figure it out with the help of a little high school math.

Enjoy~
David Cross

P.S. hashing is a bad technique in this case because hash's must produce a unique result that you end up extremely 
similar inputs having vastly different hash output values.  In this case you want to reduce the pool of candidate 
prints and then do a 1 on 1 comparison of the reduced set.  Think more along the lines of averages rather than hashes...

Most systems will make you enter a pin or a username and then will do the 1 on 1 comparison because of the time cost of 
comparing all prints in the database.  Some companies sell systems that compare all prints in the database 1 on 1 to 
the input but you have the issue of buying an expensive server and you give up the two factor safety aspect.



-----Original Message-----
From: Dave Aronson [mailto:spamtrap.secfocus () dja mailme org] 
Sent: Friday, February 06, 2004 8:06 AM
To: bugtraq () securityfocus com
Cc: markus-1977 () gmx net
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication

On Wed February 4 2004 13:37, markus-1977 () gmx net wrote:

> (to the best of my knowledge) there is no
> hash-function out there that will hash your fuzzy fingerprint to a
> constant value is it accepts and to something random if it rejects.

Law enforcement agencies use some kind of algorithm to convert 
fingerprints to a numeric value, so that they can be easily compared.  
This resulting value could of course be hashed.  Question is, is this 
something that (so far) a human must do, or is it automatable in real 
time by a reasonably small and low-priced system?

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
(Opinions above NOT those of securesw.com unless so stated!)
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
Web: http://destined.to/program http://listen.to/davearonson