so a counter measure for the card stolen scenario ... just to make the fingerprint compromise of the card slightly harder than the common scenario of the PIN compromise with a PIN written on the card (this is in addition to various liveness tests built into sensors).
... lets say you register the the little finger and the finger next to the little finger from the hand that you are least likely to use when handling a card (or water glass). Either of those two fingers are used in the chip scenario case, both the PIN/password and biometric are claimed to have a non-shared-secret paradigm implementation .... aka PIN/password and/or the biometric are registered in your card .... not someplace else. The issue of the card operating is based on the card comparing the information. The assumption is 1) chip-based 2) non-shared-secret paradigm 3) common situation where people write PIN on the card 4) compromise starts with the minimum of stealing the card first. So the issue for this non-shared-secret, "something you have" paradigm is can "something you are" be used in place of "something you know" (and the associated short-comings) and be more difficult to compromise (not impossible, just more difficult ... and therefor cost more for the attacker). Now, a person that absolutely guarentees that they will use a minimum of 8digit random PIN and never write it anywhere .... could elect to have a card that was PIN operated rather than biometric operated. In the card case, the transaction works the same .... it is just a infrastructure issue of whether it wants PIN'ed chips or biometric chips. There seems to be a large body of people where biometric chips is much less subject to compromise (because of various human memory issues). random shared secret &/or biometric refs: http://www.garlic.com/~lynn/aadsmore.htm#bioinfo1 QC Bio-info leak? http://www.garlic.com/~lynn/aadsmore.htm#biosigs biometrics and electronic signatures http://www.garlic.com/~lynn/aadsmore.htm#biosigs2 biometrics and electronic signatures http://www.garlic.com/~lynn/aadsm2.htm#privacy Identification and Privacy are not Antinomies http://www.garlic.com/~lynn/aadsm2.htm#stall EU digital signature initiative stalled http://www.garlic.com/~lynn/aadsm2.htm#strawm3 AADS Strawman http://www.garlic.com/~lynn/aadsm2.htm#pkikrb PKI/KRB http://www.garlic.com/~lynn/aadsm3.htm#cstech4 cardtech/securetech & CA PKI http://www.garlic.com/~lynn/aadsm3.htm#cstech5 cardtech/securetech & CA PKI http://www.garlic.com/~lynn/aadsm3.htm#cstech6 cardtech/securetech & CA PKI http://www.garlic.com/~lynn/aadsm3.htm#cstech8 cardtech/securetech & CA PKI http://www.garlic.com/~lynn/aadsm3.htm#cstech12 cardtech/securetech & CA PKI http://www.garlic.com/~lynn/aadsm3.htm#kiss2 Common misconceptions, was Re: KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION :draft-ietf-pkix-scvp-00.txt)) http://www.garlic.com/~lynn/aadsm3.htm#kiss8 KISS for PKIX http://www.garlic.com/~lynn/aadsm3.htm#kiss9 KISS for PKIX .... password/digital signature http://www.garlic.com/~lynn/aadsm4.htm#7 Public Key Infrastructure: An Artifact... http://www.garlic.com/~lynn/aadsm5.htm#shock revised Shocking Truth about Digital Signatures http://www.garlic.com/~lynn/aadsm5.htm#shock2 revised Shocking Truth about Digital Signatures http://www.garlic.com/~lynn/aadsm6.htm#websecure merchant web server security http://www.garlic.com/~lynn/aadsm6.htm#terror [FYI] Did Encryption Empower These Terrorists? http://www.garlic.com/~lynn/aadsm7.htm#cryptofree Erst-Freedom: Sic Semper Political Cryptography http://www.garlic.com/~lynn/aadsm7.htm#rhose9 when a fraud is a sale, Re: Rubber hose attack http://www.garlic.com/~lynn/aadsm7.htm#rhose12 when a fraud is a sale, Re: Rubber hose attack http://www.garlic.com/~lynn/aadsm7.htm#rhose13 when a fraud is a sale, Re: Rubber hose attack http://www.garlic.com/~lynn/aadsm8.htm#softpki8 Software for PKI http://www.garlic.com/~lynn/aadsm8.htm#softpki11 Software for PKI http://www.garlic.com/~lynn/aadsm8.htm#3dvulner 3D Secure Vulnerabilities? http://www.garlic.com/~lynn/aadsm9.htm#carnivore2 Shades of FV's Nathaniel Borenstein: Carnivore's "Magic Lantern" http://www.garlic.com/~lynn/aadsm9.htm#cfppki9 CFP: PKI research workshop http://www.garlic.com/~lynn/aadsm10.htm#tamper Limitations of limitations on RE/tampering (was: Re: biometrics) http://www.garlic.com/~lynn/aadsm10.htm#biometrics biometrics http://www.garlic.com/~lynn/aepay3.htm#votec (my) long winded observations regarding X9.59 & XML, encryption and certificates http://www.garlic.com/~lynn/aepay3.htm#mcomm (my) misc. additional comments on X9.59 issues. http://www.garlic.com/~lynn/aepay3.htm#aadsrel1 AADS related information http://www.garlic.com/~lynn/aepay3.htm#passwords Passwords don't work http://www.garlic.com/~lynn/aepay3.htm#x959risk3 Risk Management in AA / draft X9.59 http://www.garlic.com/~lynn/aepay4.htm#nyesig e-signatures in NY http://www.garlic.com/~lynn/aepay6.htm#x959b X9.59 Electronic Payment standard issue http://www.garlic.com/~lynn/aepay6.htm#harvest2 shared secrets, CC#, & harvesting CC# http://www.garlic.com/~lynn/aepay6.htm#cacr7 7th CACR Information Security Workshop http://www.garlic.com/~lynn/aepay6.htm#erictalk Announce: Eric Hughes giving Stanford EE380 talk this http://www.garlic.com/~lynn/aepay6.htm#dspki5 use of digital signatures and PKI (addenda) http://www.garlic.com/~lynn/aepay7.htm#ssexploit Shared Secret exploit http://www.garlic.com/~lynn/aepay7.htm#netbank net banking, is it safe?? ... power to the consumer http://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities? Photo ID's and Payment Infrastructure http://www.garlic.com/~lynn/aepay7.htm#3dsecure2 3D Secure Vulnerabilities? Photo ID's and Payment Infrastructure http://www.garlic.com/~lynn/aepay8.htm#vulner account number & shared secret vulnerabilities http://www.garlic.com/~lynn/aepay10.htm#5 I-P: WHY I LOVE BIOMETRICS BY DOROTHY E. DENNING http://www.garlic.com/~lynn/aepay10.htm#8 FSTC to Validate WAP 1.2.1 Specification for Mobile Commerce http://www.garlic.com/~lynn/99.html#157 checks (was S/390 on PowerPC?) http://www.garlic.com/~lynn/99.html#160 checks (was S/390 on PowerPC?) http://www.garlic.com/~lynn/99.html#165 checks (was S/390 on PowerPC?) http://www.garlic.com/~lynn/99.html#166 checks (was S/390 on PowerPC?) http://www.garlic.com/~lynn/99.html#168 checks (was S/390 on PowerPC?) http://www.garlic.com/~lynn/99.html#170 checks (was S/390 on PowerPC?) http://www.garlic.com/~lynn/99.html#172 checks (was S/390 on PowerPC?) http://www.garlic.com/~lynn/99.html#189 Internet Credit Card Security http://www.garlic.com/~lynn/99.html#214 Ask about Certification-less Public Key http://www.garlic.com/~lynn/99.html#226 Attacks on a PKI http://www.garlic.com/~lynn/99.html#228 Attacks on a PKI http://www.garlic.com/~lynn/99.html#235 Attacks on a PKI http://www.garlic.com/~lynn/99.html#238 Attacks on a PKI http://www.garlic.com/~lynn/2000.html#39 "Trusted" CA - Oxymoron? http://www.garlic.com/~lynn/2000.html#57 RealNames hacked. Firewall issues. http://www.garlic.com/~lynn/2000.html#60 RealNames hacked. Firewall issues. http://www.garlic.com/~lynn/2000b.html#53 Digital Certificates-Healthcare Setting http://www.garlic.com/~lynn/2000b.html#90 Question regarding authentication implementation http://www.garlic.com/~lynn/2000b.html#92 Question regarding authentication implementation http://www.garlic.com/~lynn/2000f.html#1 Why trust root CAs ? http://www.garlic.com/~lynn/2000f.html#4 Why trust root CAs ? http://www.garlic.com/~lynn/2000f.html#7 Why trust root CAs ? http://www.garlic.com/~lynn/2000g.html#5 e-commerce: Storing Credit Card numbers safely http://www.garlic.com/~lynn/2000g.html#33 does CA need the proof of acceptance of key binding ? http://www.garlic.com/~lynn/2000g.html#34 does CA need the proof of acceptance of key binding ? http://www.garlic.com/~lynn/2000g.html#49 Use of SET? http://www.garlic.com/~lynn/2001c.html#30 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001c.html#34 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001c.html#39 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001c.html#40 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001c.html#41 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001c.html#42 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001c.html#54 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001c.html#60 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001f.html#25 Question about credit card number http://www.garlic.com/~lynn/2001f.html#31 Remove the name from credit cards! http://www.garlic.com/~lynn/2001g.html#11 FREE X.509 Certificates http://www.garlic.com/~lynn/2001g.html#38 distributed authentication http://www.garlic.com/~lynn/2001h.html#5 PKI/Digital signature doesn't work http://www.garlic.com/~lynn/2001h.html#7 PKI/Digital signature doesn't work http://www.garlic.com/~lynn/2001h.html#58 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#9 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#16 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#25 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#35 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#36 Net banking, is it safe??? http://www.garlic.com/~lynn/2001i.html#57 E-commerce security???? http://www.garlic.com/~lynn/2001j.html#0 E-commerce security???? http://www.garlic.com/~lynn/2001j.html#2 E-commerce security???? http://www.garlic.com/~lynn/2001j.html#9 E-commerce security???? http://www.garlic.com/~lynn/2001j.html#44 Does "Strong Security" Mean Anything? http://www.garlic.com/~lynn/2001j.html#49 Are client certificates really secure? http://www.garlic.com/~lynn/2001j.html#52 Are client certificates really secure? http://www.garlic.com/~lynn/2001k.html#1 Are client certificates really secure? http://www.garlic.com/~lynn/2001k.html#34 A thought on passwords http://www.garlic.com/~lynn/2001k.html#58 I-net banking security http://www.garlic.com/~lynn/2001k.html#61 I-net banking security http://www.garlic.com/~lynn/2001m.html#5 Smart Card vs. Magnetic Strip Market http://www.garlic.com/~lynn/2001m.html#41 Solutions to Man in the Middle attacks? http://www.garlic.com/~lynn/2001n.html#94 Secret Key Infrastructure plug compatible with PKI http://www.garlic.com/~lynn/2002.html#9 How to get 128-256 bit security only from a passphrase? http://www.garlic.com/~lynn/2002.html#39 Buffer overflow <[EMAIL PROTECTED]> on 1/28/2002 10:47 am wrote: On Sun, 2002-01-27 at 14:07, [EMAIL PROTECTED] wrote: > The issue then is that biometric represents a particularly > difficult shared-secret that doesn't have to be memorized Shared "secret"? People don't leave a copy of their PIN on every water glass they use. -- sidney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
