Security Basics mailing list archives

RE: Biometric Alternatives

From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Thu, 5 Jun 2003 11:54:13 -0500

One thing you have to be very, very, careful of with the biometric stuff is
the implementation details.

Bolt-on biometrics can be BAD, very, very bad.  ESPECIALLY the 'low impact'
form, i.e. the ones that are solely on the workstation.

If the product does not have a server component, it means that - under the
covers as it were - they are calling the original Microsoft login routine,
msgina.dll, with your userid and password!  What they do is to replace
msgina.dll with their own version that intercepts the login, captures/tests
the biometric and then calls the original msgina.dll with the users id and
password.

Makes you wonder how they get your windows id and password, and how securely
it's stored, right?

The first half is easy - it occurs when you 'Register' the user's biometric
signature.  It, plus the other requested data (windows userid and password)
gets stored in a database and map that signature to the OS password.

Whether it's an MD5 digest of the iris print, or the fingerprint minutia or
(scary for other reasons) the fingerprint itself, or whatever, there's that
database tuple (biometric, userid, password).  One HOPES it's stored in an
encrypted form, but the password HAS TO BE recoverable, so it can be sent to
the actual windows authentication agent.

The risk?

Well, your windows password is present, in some (hopefully) encrypted but
recoverable form on the system.  If I can gain access to the physical
system, grab that database and decrypt it, I've got your real password.

The recommendation?

Before implementing a biometrics solution, ask the hard questions about how
it's implemented.  Any vendor that has thought the issues through and done a
competent job should be happy to find a knowledgeable customer and be more
than willing to show you how they achieve the strength of their system.  If
the vendor won't give you the information, grab your money off the table and
RUN the other way.


-----Burton



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Biometric Alternatives Mears,Caleb M (Jun 04)
- Re: Biometric Alternatives leifg (Jun 04)
- Re: Biometric Alternatives Jimi Thompson (Jun 04)
- RE: Biometric Alternatives Manuel Fernandes (Jun 04)
- <Possible follow-ups>
- Re: Biometric Alternatives compguruman (Jun 05)
  - RE: Biometric Alternatives Burton M. Strauss III (Jun 05)
- RE: Biometric Alternatives Wilcox, Stephen (Jun 05)
- Re: Biometric Alternatives SMiller (Jun 05)
- RE: Biometric Alternatives JAVIER OTERO (Jun 05)