lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.BSF.4.58.0402091323060.38819@www.missl.cs.umd.edu>
Date: Mon, 9 Feb 2004 13:37:11 -0500 (EST)
From: Charles Clancy <clancy@....missl.cs.umd.edu>
To: David Brodbeck <DavidB@...l.interclean.com>
Cc: "'Dave Aronson'" <spamtrap.secfocus@....mailme.org>,
	bugtraq@...urityfocus.com
Subject: RE: Hacking USB Thumbdrives, Thumprint authentication


> > Law enforcement agencies use some kind of algorithm to convert
> > fingerprints to a numeric value, so that they can be easily compared.
>
> My understanding is that this is only an approximate representation --
> it's not intended to be unique, it's only a method for quickly locating
> prints similar to the suspect print.  The final comparison between a
> print that's on file and a suspect print is done by eye, and is actually
> somewhat subjective.

Most fingerprint systems convert the fingerprint image into what's called
a template.  This is a numeric representation, but comparision between
two templates is not as simple as "==".  Different portions of the
template represent different minutae on the fingerprint, and an actual
feature matching algorithm still needs to be used.  Thus, we cannot hash
these templates because there is no way to perform matching on the
template hashes.

So far nobody has produced an algorithm to reliably extract a symmetric
key from a fingerprint without any side information.  However, with some
extra information it is possible to obscure a private key on a smartcard
such that the key is only recoverable given a fingerprint that matches the
original.  This allows all the biometric processing to happen on a
smartcard (and not on an untrusted terminal) without storing the
fingerprint itself on the smartcard.  An attacker needs both the card and
your fingerprint to recover your key.

[ t. charles clancy ]--[ tcc@....edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]------[ university of maryland, college park ]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ