Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on Biometric Innovation Breakthrough answers UK ID Card Security Fears

From: David Farber <dave () farber net>
Date: Thu, 30 Jun 2005 12:19:58 -0400


Begin forwarded message:

From: Tom Goltz <tgoltz () QuietSoftware com>
Date: June 30, 2005 11:06:57 AM EDT
To: dave () farber net
Cc: Brian Randell <Brian.Randell () newcastle ac uk>
Subject: Re: [IP] Biometric Innovation Breakthrough answers UK ID Card Security Fears 


At 04:41 AM 6/30/2005, you wrote:


This "understated" commercial press release has been issued the very
day that the UK Parliament is debating the Government's controversial
ID Card proposals.



My bogo-meter has just jumped completely off the scale.
They say NOTHING about how they are preventing replay attacks using duplicated fingers. So far, virtually all of the available "fingerprint sensors" have proven to be easily fooled using duplicate fingers that are trivial to manufacture. The claim that their system will only work with a "live finger" is completely unsupported.
The core "innovation" here appears to be that they're building their blob using the image of multiple fingerprints in a sequence determined by the individual. In other words, they're going from a single-digit PIN to a multiple-digit PIN. As in standard numeric PIN's, this makes it harder to steal and reproduce the sequence, but falls completely short of the "impossible" that they claim. All of the standard attacks against a multiple-digit numeric PIN that is stored in hashed form still apply here.
I also have serious questions about the usability of the proposed system. A significant portion of the population has drier-than- normal skin (I'm one of them), and most of the fingerprint sensors that I have tried have trouble "reading" my fingers. It's difficult enough to get a valid read on a single one of my fingers, let alone a sequence of multiple fingers. I shudder to think about the length of the queues that will result from people having to fight with the fingerprint reader for many, many minutes each to get a valid biometric input to the system.
There are also no details on how their system is going to provide and enforce the promised information access controls. This is a completely separate issue from how the fingerprint biometric is calculated.
I'm sure Bruce Schneier could do an even more devastating job of debunking these guys, but this is at least a start. 




-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: