[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B519E56A7A231C4286F099EF124CCB7F4B0665@cleut-xmb01>
Date: Tue, 10 Feb 2004 12:26:18 -0700
From: <David.Cross@....com>
To: <spamtrap.secfocus@....mailme.org>, <bugtraq@...urityfocus.com>
Cc: <markus-1977@....net>
Subject: RE: Hacking USB Thumbdrives, Thumprint authentication
Fingerprint data is difficult to hash since the comparators are fuzzy in nature. Basically you are dealing with vectors or distances between minutiae (points of interest) and their direction including slant/curve. Minutiae readings will differ slightly with each print sampling. For accuracy each print has to be compared to each sample seeking a match. The matching process can be time consuming.
That being said there is a way to fuzzify a representation of the print in a numeric form. Since the algorithms produce an encrypted output of end points and vectors you are left to trying to attach statistical significance to the decrypted version of the algorithm output data. Or you can fuzzify a representation of the image itself as most API's allow capture and storage of a bitmap of the print. The captured prints will have variance in placement on the print window and will collect more or less white-space or skewed position. Prints will also have more or less surface area depending on the pressure applied during the print capture process. (This is why the algorithms look for points of interest on the print and will refuse many finger placements during the print enrollment/verification process.)
Since I get paid for figuring out how to index prints I'll keep the secret to myself but you have the basics of what's needed to figure it out with the help of a little high school math.
Enjoy~
David Cross
P.S. hashing is a bad technique in this case because hash's must produce a unique result that you end up extremely similar inputs having vastly different hash output values. In this case you want to reduce the pool of candidate prints and then do a 1 on 1 comparison of the reduced set. Think more along the lines of averages rather than hashes...
Most systems will make you enter a pin or a username and then will do the 1 on 1 comparison because of the time cost of comparing all prints in the database. Some companies sell systems that compare all prints in the database 1 on 1 to the input but you have the issue of buying an expensive server and you give up the two factor safety aspect.
-----Original Message-----
From: Dave Aronson [mailto:spamtrap.secfocus@....mailme.org]
Sent: Friday, February 06, 2004 8:06 AM
To: bugtraq@...urityfocus.com
Cc: markus-1977@....net
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication
On Wed February 4 2004 13:37, markus-1977@....net wrote:
> (to the best of my knowledge) there is no
> hash-function out there that will hash your fuzzy fingerprint to a
> constant value is it accepts and to something random if it rejects.
Law enforcement agencies use some kind of algorithm to convert
fingerprints to a numeric value, so that they can be easily compared.
This resulting value could of course be hashed. Question is, is this
something that (so far) a human must do, or is it automatable in real
time by a reasonably small and low-priced system?
--
Dave Aronson, Senior Software Engineer, Secure Software Inc.
(Opinions above NOT those of securesw.com unless so stated!)
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
Web: http://destined.to/program http://listen.to/davearonson
Powered by blists - more mailing lists