RE: Hacking USB Thumbdrives, Thumprint authentication
Dear Markus,
I totally agree with you that a biometric system can be compromised, but
then most of the security systems can be compromised. It is only the
effort required and complexity involved that sets any system apart. In
this angle, having worked with biometric devices and having developed
applications using fingerprint readers before, I feel that the modern
day biometric readers are a far improved lot and are really very
effective for logical and physical access control systems. 
1) Many of the fingerprint authentication systems do encrypt the
fingerprint data before storing it in the database or as a digest file.
Ofcourse this is not a one way hash, but mostly a symmetric encryption
that happens.
2) With the arrival of optic based fingerprint scanners, the probability
of getting authenticated on latent fingerprints (or by using a lifted
fingerprint) is very minimal.
3) And you can use all the ten fingers of yours for authentication; it
need not always be your thumbprint alone.
The only disadvantage in this area, as rightly brought out by you, is
1) There is no standard amongst hardware manufacturers. Therefore there
is no compatibility between different hardwares. The BioAPI which is a
consortium for Biometric Development is doing a great job in laying the
rules of the game. However we need to still go a lot further before
biometrics can get a deFacto standard in the security industry.
Having said all that, I still agree that it is always better to go for
dual factor authentication ( 'Are' + 'Know' or 'Have').
Regards
C.Navaneetharangan CISA
-----Original Message-----
From: markus-1977@xxxxxxx [mailto:markus-1977@xxxxxxx] 
Sent: Thursday, February 05, 2004 12:08 AM
To: David.Cross@xxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Hacking USB Thumbdrives, Thumprint authentication
Hey,
> I've been working with fingerprint authentication devices for over 9
years
now.  The basis for the research quoted on cracking these 
> devices is weak.  Is it possible to devise a way to fool fingerprint
readers?... given enough time, gummy bears and glue?  It may be 
> possible but having tested the devices over a number of years I can
say
that it is very difficult.  By the time a person was able to do 
> lithography and form a "gummy finger" of some type their password
could
have been stolen hundreds of times over by a hardware 
> key-logger or socially engineered.
There are a few things that are very disturbing about Biometrics (even
with
a better reader), though:
a) biometrics are no secrets (I leave my fingerprint everywhere);
retinas
are readable from some distance... where do you get a new thumb-print,
when it
gets compromised? Yes, for good security it should be "know" and "have",
but
look at what's going on in practice: They want to introduce fingerprints
in
passports - why not have a pin as well?
b) security depends a lot on the reader, i.e. the "life-detection". Just
what will happen when all the countries agree on having fingerprints in
the
passports. Will the readers in some third-world countries be as secure
as in the
US/EU? What will happen when somebody can fake my entry into some
country? Or
assume it will be used for payment or something like that... Will all
the
readers be secure enough to detect gummy fingers? A pin-pad on the other
hand
is relatively simple...
c) Biometrics is always "fuzzy comparison". If I have a pin, it's either
correct or not. If the PIN/password is difficult enough, I can encrypt
stuff
with it. If only a hash is stored, then the device will not "know" the
correct
password to decrypt my secrets but can verify that the user knows it.
Biometrics on the other hand always compares to a reference stored
somewhere. The
reference is in the clear, because (to the best of my knowledge) there
is no
hash-function out there that will hash your fuzzy fingerprint to a
constant
value is it accepts and to something random if it rejects. That means
that data
on the Thumbdrives is most likely not "encrypted" with your fingerprint.
Most
likely it will make some comparison and then allow or deny access. There
is
some work in progress to extract keys from fingerprints, though.
However,
it'll take some time until we will find this in products...
Markus
-- 
The early bird gets the worm. If you want
something else for breakfast, get up later.
GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel
+++