Dear Markus, I totally agree with you that a biometric system can be compromised, but then most of the security systems can be compromised. It is only the effort required and complexity involved that sets any system apart. In this angle, having worked with biometric devices and having developed applications using fingerprint readers before, I feel that the modern day biometric readers are a far improved lot and are really very effective for logical and physical access control systems. 1) Many of the fingerprint authentication systems do encrypt the fingerprint data before storing it in the database or as a digest file. Ofcourse this is not a one way hash, but mostly a symmetric encryption that happens. 2) With the arrival of optic based fingerprint scanners, the probability of getting authenticated on latent fingerprints (or by using a lifted fingerprint) is very minimal. 3) And you can use all the ten fingers of yours for authentication; it need not always be your thumbprint alone. The only disadvantage in this area, as rightly brought out by you, is 1) There is no standard amongst hardware manufacturers. Therefore there is no compatibility between different hardwares. The BioAPI which is a consortium for Biometric Development is doing a great job in laying the rules of the game. However we need to still go a lot further before biometrics can get a deFacto standard in the security industry. Having said all that, I still agree that it is always better to go for dual factor authentication ( 'Are' + 'Know' or 'Have'). Regards C.Navaneetharangan CISA -----Original Message----- From: markus-1977@gmx.net [mailto:markus-1977@gmx.net] Sent: Thursday, February 05, 2004 12:08 AM To: David.Cross@ngc.com; bugtraq@securityfocus.com Subject: RE: Hacking USB Thumbdrives, Thumprint authentication Hey, > I've been working with fingerprint authentication devices for over 9 years now. The basis for the research quoted on cracking these > devices is weak. Is it possible to devise a way to fool fingerprint readers?... given enough time, gummy bears and glue? It may be > possible but having tested the devices over a number of years I can say that it is very difficult. By the time a person was able to do > lithography and form a "gummy finger" of some type their password could have been stolen hundreds of times over by a hardware > key-logger or socially engineered. There are a few things that are very disturbing about Biometrics (even with a better reader), though: a) biometrics are no secrets (I leave my fingerprint everywhere); retinas are readable from some distance... where do you get a new thumb-print, when it gets compromised? Yes, for good security it should be "know" and "have", but look at what's going on in practice: They want to introduce fingerprints in passports - why not have a pin as well? b) security depends a lot on the reader, i.e. the "life-detection". Just what will happen when all the countries agree on having fingerprints in the passports. Will the readers in some third-world countries be as secure as in the US/EU? What will happen when somebody can fake my entry into some country? Or assume it will be used for payment or something like that... Will all the readers be secure enough to detect gummy fingers? A pin-pad on the other hand is relatively simple... c) Biometrics is always "fuzzy comparison". If I have a pin, it's either correct or not. If the PIN/password is difficult enough, I can encrypt stuff with it. If only a hash is stored, then the device will not "know" the correct password to decrypt my secrets but can verify that the user knows it. Biometrics on the other hand always compares to a reference stored somewhere. The reference is in the clear, because (to the best of my knowledge) there is no hash-function out there that will hash your fuzzy fingerprint to a constant value is it accepts and to something random if it rejects. That means that data on the Thumbdrives is most likely not "encrypted" with your fingerprint. Most likely it will make some comparison and then allow or deny access. There is some work in progress to extract keys from fingerprints, though. However, it'll take some time until we will find this in products... Markus -- The early bird gets the worm. If you want something else for breakfast, get up later. GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++
