lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B519E56A7A231C4286F099EF124CCB7F4B0665@cleut-xmb01>
Date: Tue, 10 Feb 2004 12:26:18 -0700
From: <David.Cross@....com>
To: <spamtrap.secfocus@....mailme.org>, <bugtraq@...urityfocus.com>
Cc: <markus-1977@....net>
Subject: RE: Hacking USB Thumbdrives, Thumprint authentication


Fingerprint data is difficult to hash since the comparators are fuzzy in nature.  Basically you are dealing with vectors or distances between minutiae (points of interest) and their direction including slant/curve.  Minutiae readings will differ slightly with each print sampling.  For accuracy each print has to be compared to each sample seeking a match.  The matching process can be time consuming.

That being said there is a way to fuzzify a representation of the print in a numeric form.  Since the algorithms produce an encrypted output of end points and vectors you are left to trying to attach statistical significance to the decrypted version of the algorithm output data.  Or you can fuzzify a representation of the image itself as most API's allow capture and storage of a bitmap of the print.   The captured prints will have variance in placement on the print window and will collect more or less white-space or skewed position.  Prints will also have more or less surface area depending on the pressure applied during the print capture process. (This is why the algorithms look for points of interest on the print and will refuse many finger placements during the print enrollment/verification process.)

Since I get paid for figuring out how to index prints I'll keep the secret to myself but you have the basics of what's needed to figure it out with the help of a little high school math.

Enjoy~
David Cross

P.S. hashing is a bad technique in this case because hash's must produce a unique result that you end up extremely similar inputs having vastly different hash output values.  In this case you want to reduce the pool of candidate prints and then do a 1 on 1 comparison of the reduced set.  Think more along the lines of averages rather than hashes...

Most systems will make you enter a pin or a username and then will do the 1 on 1 comparison because of the time cost of comparing all prints in the database.  Some companies sell systems that compare all prints in the database 1 on 1 to the input but you have the issue of buying an expensive server and you give up the two factor safety aspect.



-----Original Message-----
From: Dave Aronson [mailto:spamtrap.secfocus@....mailme.org] 
Sent: Friday, February 06, 2004 8:06 AM
To: bugtraq@...urityfocus.com
Cc: markus-1977@....net
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication

On Wed February 4 2004 13:37, markus-1977@....net wrote:

 > (to the best of my knowledge) there is no
 > hash-function out there that will hash your fuzzy fingerprint to a
 > constant value is it accepts and to something random if it rejects.

Law enforcement agencies use some kind of algorithm to convert 
fingerprints to a numeric value, so that they can be easily compared.  
This resulting value could of course be hashed.  Question is, is this 
something that (so far) a human must do, or is it automatable in real 
time by a reasonably small and low-priced system?

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
(Opinions above NOT those of securesw.com unless so stated!)
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
Web: http://destined.to/program http://listen.to/davearonson


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ