oss-sec mailing list archives
Re: Re: fprintd: found storing user fingerprints without encryption
From: Seong-Joong Kim <sungjungk () gmail com>
Date: Sat, 11 May 2019 09:20:12 +0900
Additionally, I think that fingerprint reader is widely used on laptop, rather than standalone product for PC. It is hard to find standalone product in supporting device officially, except for Digital Persona U.are.U and Eikon Touch series. (see https://fprint.freedesktop.org/supported-devices.html) Most of them are forms of fingerprint module or no longer sell the standalone product. Currently, most of major vendors' laptops, including Dell, HP and Lenovo, have been equipped with both embedded fingerprint module and TPM. Thus, I suggested implementing interfaces to talk with hardware security module. Sincerely, 2019년 5월 10일 (금) 오후 7:31, Seong-Joong Kim <sungjungk () gmail com>님이 작성:
I think my initial suggestion is not really good enough. Currently, there is no way to defend this issue except for supporting hardware, such as TPM or USB token, rather than encryption by software in Linux environment. If necessary, how about implementing interfaces to talk with hardware security module, such as TPM or PKCS#11 compatible devices. Otherwise, users should avoid using fingerprint authentication/identification. Any idea? Sincerely, 2019년 5월 10일 (금) 오후 6:22, halfdog <me () halfdog net>님이 작성:Roman Drahtmueller writes:[...]I am not insisting that encryption key should be on the disk or is encrypted with a static key that is embedded in the binary. Instead, we can make fprintd to use a TPM, if available.The problem persists: The encryption key must be available for the FP data to be accessible, and so it is for an attacker. It doesn't matter where you store the key. A TPM (and, transitively, products that encrypt with TPM-sealed or TPM-bound key material) is good for the situation where the system is physically stolen while powered down (or the drive fails). But that'snotour problem here.Therefore dedicated tamper-proof IC-designs+embedded software exist, that perform the biometry template storage and matching on the chip (MoC). There are some vendors out there providing such hardware + MoC-algorithms, but mainly fingerprint and some iris biometry variants seem certified so far. These are intended for access cards or USB-tokens in two or more-factor authentication schemes in a 1-to-1 match fashion, not as centralized 1-to-many matching schemes also deployed rarely (e.g. in Japan where they really like biometrics as long as you do not have to touch the biometry reader ...).[...]Otherwise, but even though it is not perfect, it would be better toapplythe fingerprint data protection, such as keyring or access control,ratherthan raw fingerprint template. FYI, Windows Hello might use Next Generation Cryptography (calledCNG) toprotect and store user private data and encryption keys.There are not many options left to solve the stored credential problem, and it should be clear that saving a file, encrypted or not, is not the solution. One possible solution is to use a hash algorithm, potentiallycost-based,to derive a bit string (that is suitable for comparison with the persisted authoritative string) from the output of a fingerprint reader.At the momenent I do not know of any algorithms providing sufficient entropy binary hash data from fingerprints in a reliable way. Changing extraction to deliver more entropy results in higher FNR during authentication step later on, I think.[...]When working on a project to provide highest security MoC solutions with Linux (for other type of biometry, not fingerprints), Nitrokey was offering an open-source USB-token hardware (even the PCBs are open source, if I remember correctly). That platform seemed closest to be a good starting point for developing such an open source MoC biometry solution as they sell also one part with a certified tamper proof trusted element that seemed to allow performing biometry template storage and comparison on chip if programmed correctly. Time in the project was too limited to explore, if that hardware would REALLY allow to upgrade it to a powerful, highly secure but still affordable open source biometry system for use by journalists, human rights activists, NGOs ... and nerds, e.g. for password+biometry secured full disk encryption schemes.[...]hd
Current thread:
- Re: fprintd: found storing user fingerprints without encryption, (continued)
- Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 07)
- Re: Re: fprintd: found storing user fingerprints without encryption Roman Drahtmueller (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Noel Kuntze (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Noel Kuntze (May 08)
- Message not available
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Roman Drahtmueller (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 08)
- Re: Re: fprintd: found storing user fingerprints without encryption halfdog (May 10)
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 10)
- Re: Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 11)
- Re: fprintd: found storing user fingerprints without encryption halfdog (May 14)
- Re: fprintd: found storing user fingerprints without encryption halfdog (May 14)
- Re: Re: fprintd: found storing user fingerprints without encryption Roman Drahtmueller (May 08)
- Re: fprintd: found storing user fingerprints without encryption Seong-Joong Kim (May 07)