"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> writes: > Not wanting to have extended contest over this,
I'm afraid I'm not letting it drop. > but all these absolutes in > the comments are just too simplistic. Devices can be made as > tamper-resistant as the threat- and value-model required. No, they can't. That's an engineering hope, not an engineering reality. The hope you're expressing is that "well, maybe we can't make it impossible to break this design, but we can make it cost more to break the system than breaking it will bring the bad guy, and we can do that without said tamper-resistance costing us more than we can afford." This is a seductive idea since it is an exact analog of the usual "make it economically infeasible to break the key" arguments one hears in crypto, but there is a big difference -- the very, very big assumption that this can be done. In crypto, it is easy -- you're making an exponential tradeoff between key length and cracking time -- simplisticly, there are situations where adding bits to a key makes it exponentially harder to brute force break while often only linearly or at most polynomially more expensive to use, so you can trade off breaking expense against usage expense very easily. However, in biometrics, the assumption that you can just make it "economically infeasible to break" at low cost is is an assumption that is, generally, horribly wrong. Adding another two mm of steel to the casing around the camera doesn't make it appreciably more tamperproof, and neither does coating the camera in epoxy no matter how neat it is to show the investors. We certainly would *wish* it to be the case that simple measures would make it exponentially harder to break biometric sensors, but wishing doesn't make engineering come true. Just because we would like there to be such designs doesn't mean they exist, and sadly they don't. > I have worked a lot with zeroizing devices. It's really No Big > Deal. Smartcards are tamper PROTECTED. Such tamper protections fairly consistently fail. I'm unaware of any smart card system that has survived a serious assault. As for costs, the smart card hacks of the last few years tend to indicate that smart cards are pretty cheap to hack, too. > A ccd retinal scanner can include cryptographic protections onchip. I have yet to see a biometric scanner that would be difficult to hack, and I have very few ideas on how you could make it hard to hack. Putting "cryptographic protections onchip[sic]" sounds like a lovely idea, except it is both meaningless and useless -- meaningless because we've seen over and over again that you can inexpensively force devices to disgorge keys with fairly standard laboratory equipment, useless because you can simply feed the sensors what they want to hear since they are of necessity dependent on what the outside world is telling them. I have yet to observe a way to public key encrypt photons your light source shines out so you can be sure they're not tampered with before they return from an iris. > C'mon, depending on "is-ness" is exactly the same cat-and-mouse game > as authentication technologies that depend on "have-ness" and > "know-ness" attributes. I have no idea what the heck you're talking about there. Perhaps you do, perhaps not. > All have strengths and weaknesses. The "economically unfeasible to break" argument is a HOPE, not an objective reality. You can HOPE your system costs too much to break, but most of the time our evidence is that you simply haven't been around a sufficiently clever attacker during your design phase, and it only takes one sufficiently clever attacker mentioning how to do it for your system to fall. Biometrics are not a reasonable way to defend financial systems or other systems where costs of security failure are high unless said biometrics are under physical control. If your retinal scanner is sent off site, you have no way to know what it is telling you has any connection with reality thereafter. > A PROPERLY DESIGNED system provides a level of assurance commensurate with > the value and threat models - No, you HOPE that it is possible to design systems that can, without excess expense, achieve any given level of assurance against tampering, but the world has yet to back up this idea, any more than the world has been able to produce magically copy protected software or music, or magically secure operating systems, or other forms of magic people are constantly swindled on. Just because sometimes engineering gets nice clean tradeoffs (like in key length) doesn't mean it always gets them. You just wish it did. Wishing doesn't make it true. > That is all most certainly achievable, to essentially any desirable > assurance level, modulo some dollar amount. Anyone claiming > otherwise is simply wrong :) I suppose since I'm simply wrong then, so would you be so kind as to tell me where I can buy the magic iris scanner that I can't break into with a little work in a reasonably equipped lab? I'd also like to know where to find the smart cards that haven't fallen to quite inexpensive assaults, since I'm unaware of them either. Biometrics is all about convenience, and the silly thing about all of it is not only doesn't it work, it doesn't in practice add convenience, either. They are, however, a wonderful way for people to try to sell their systems as cool and high tech, so we unfortunately see the the idea disinterred from its grave over and over. -- Perry E. Metzger [EMAIL PROTECTED] -- NetBSD Development, Support & CDs. http://www.wasabisystems.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
