lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <2791.1075919870@www43.gmx.net>
Date: Wed, 4 Feb 2004 19:37:50 +0100 (MET)
From: markus-1977@....net
To: David.Cross@....com, bugtraq@...urityfocus.com
Subject: RE: Hacking USB Thumbdrives, Thumprint authentication


Hey,

> I've been working with fingerprint authentication devices for over 9 years
now.  The basis for the research quoted on cracking these 
> devices is weak.  Is it possible to devise a way to fool fingerprint
readers?... given enough time, gummy bears and glue?  It may be 
> possible but having tested the devices over a number of years I can say
that it is very difficult.  By the time a person was able to do 
> lithography and form a "gummy finger" of some type their password could
have been stolen hundreds of times over by a hardware 
> key-logger or socially engineered.

There are a few things that are very disturbing about Biometrics (even with
a better reader), though:

a) biometrics are no secrets (I leave my fingerprint everywhere); retinas
are readable from some distance... where do you get a new thumb-print, when it
gets compromised? Yes, for good security it should be "know" and "have", but
look at what's going on in practice: They want to introduce fingerprints in
passports - why not have a pin as well?

b) security depends a lot on the reader, i.e. the "life-detection". Just
what will happen when all the countries agree on having fingerprints in the
passports. Will the readers in some third-world countries be as secure as in the
US/EU? What will happen when somebody can fake my entry into some country? Or
assume it will be used for payment or something like that... Will all the
readers be secure enough to detect gummy fingers? A pin-pad on the other hand
is relatively simple...

c) Biometrics is always "fuzzy comparison". If I have a pin, it's either
correct or not. If the PIN/password is difficult enough, I can encrypt stuff
with it. If only a hash is stored, then the device will not "know" the correct
password to decrypt my secrets but can verify that the user knows it.
Biometrics on the other hand always compares to a reference stored somewhere. The
reference is in the clear, because (to the best of my knowledge) there is no
hash-function out there that will hash your fuzzy fingerprint to a constant
value is it accepts and to something random if it rejects. That means that data
on the Thumbdrives is most likely not "encrypted" with your fingerprint. Most
likely it will make some comparison and then allow or deny access. There is
some work in progress to extract keys from fingerprints, though. However,
it'll take some time until we will find this in products...

Markus

-- 
The early bird gets the worm. If you want
something else for breakfast, get up later.

GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ