| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 4 Feb 2004 19:37:50 +0100 (MET) From: markus-1977@....net To: David.Cross@....com, bugtraq@...urityfocus.com Subject: RE: Hacking USB Thumbdrives, Thumprint authentication Hey, > I've been working with fingerprint authentication devices for over 9 years now. The basis for the research quoted on cracking these > devices is weak. Is it possible to devise a way to fool fingerprint readers?... given enough time, gummy bears and glue? It may be > possible but having tested the devices over a number of years I can say that it is very difficult. By the time a person was able to do > lithography and form a "gummy finger" of some type their password could have been stolen hundreds of times over by a hardware > key-logger or socially engineered. There are a few things that are very disturbing about Biometrics (even with a better reader), though: a) biometrics are no secrets (I leave my fingerprint everywhere); retinas are readable from some distance... where do you get a new thumb-print, when it gets compromised? Yes, for good security it should be "know" and "have", but look at what's going on in practice: They want to introduce fingerprints in passports - why not have a pin as well? b) security depends a lot on the reader, i.e. the "life-detection". Just what will happen when all the countries agree on having fingerprints in the passports. Will the readers in some third-world countries be as secure as in the US/EU? What will happen when somebody can fake my entry into some country? Or assume it will be used for payment or something like that... Will all the readers be secure enough to detect gummy fingers? A pin-pad on the other hand is relatively simple... c) Biometrics is always "fuzzy comparison". If I have a pin, it's either correct or not. If the PIN/password is difficult enough, I can encrypt stuff with it. If only a hash is stored, then the device will not "know" the correct password to decrypt my secrets but can verify that the user knows it. Biometrics on the other hand always compares to a reference stored somewhere. The reference is in the clear, because (to the best of my knowledge) there is no hash-function out there that will hash your fuzzy fingerprint to a constant value is it accepts and to something random if it rejects. That means that data on the Thumbdrives is most likely not "encrypted" with your fingerprint. Most likely it will make some comparison and then allow or deny access. There is some work in progress to extract keys from fingerprints, though. However, it'll take some time until we will find this in products... Markus -- The early bird gets the worm. If you want something else for breakfast, get up later. GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...) jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++
Powered by blists - more mailing lists