[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040209102619.B29190@slack.lne.com>
Date: Mon, 9 Feb 2004 10:26:19 -0800
From: Eric Murray <ericm@....com>
To: bugtraq@...urityfocus.com
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication
On Fri, Feb 06, 2004 at 10:06:22AM -0500, Dave Aronson wrote:
> On Wed February 4 2004 13:37, markus-1977@....net wrote:
>
> > (to the best of my knowledge) there is no
> > hash-function out there that will hash your fuzzy fingerprint to a
> > constant value is it accepts and to something random if it rejects.
>
> Law enforcement agencies use some kind of algorithm to convert
> fingerprints to a numeric value, so that they can be easily compared.
> This resulting value could of course be hashed. Question is, is this
> something that (so far) a human must do, or is it automatable in real
> time by a reasonably small and low-priced system?
Fingerprints are matched on what are called minutae, which are
relative locations where lines break, join, etc.
(some systems may also look at whorl direction, the one I
worked with did not)
A typical digital fingerprint's got somewhere around 20-30 minutae.
Not all of them will be picked up in each scan, depending
on finger orientation, smudging, dirt, etc.
Search criteria will be for some percentage of matches, depending
on the desired false accept/false reject ratio.
So a simple hash of the minutae won't work very well as it will
result in an unacceptably high false reject ratio.
But the matching is easily automated.
The system I worked with used 4-byte ints to represent
minutae location and capped the number at 50.
Eric
Powered by blists - more mailing lists