> The scan that's taken on the reader when you put your finger on it has
> to be compared against a known template (or templates). If enough of
> the minutae points match, then your fingerprint is judged to be a
match.
> A minutae is a point where a ridge ends or branches.
Actually, my understanding of the Digital Persona algorithm is that it
is based on pattern matching rather than minutae. Furthermore, I've
heard that it was developed using the Matrox image processing SDK, FWIW.
> So, the template has to be stored in the clear, or encrypted with
> a key that's embedded in the U.are.U software and hidden using
> the usual software tamper-resistance techniques.... which of
> course can be cracked, allowing the attacker to replace the
> template with his own.
This would be a good issue to bring up with them directly. By the way,
I asked them once how I could be sure there is no back door into the
system. They merely said "there is no back door."
> Worse, you can't store anything in a scan/template other than
biometric
> data. So where's your blowfish key? Encrypted with a key stored in
the
> U.are.U program and stored on disk? Is it a function of your
biometric?
> (unlikely, as biometrics change and Digital Persona doesn't want to
lock
> you out of your files if you cut your finger).
Ideally, a truly secure system would rely on three things in order to
grant you access: something you know (a passphrase), something you have
(e.g. a smartcard), and something you are (a biometric). I rather like
the American Biometrics Biomouse Plus because it has an integrated
smartcard reader. It doesn't come bundled with any terribly useful
software though. What's really needed is a unit with a small keyboard
as well.
Maybe we should just design and market our own product.
--PH
__________________________________________
Get Your Free Email from http://www.hotml.com
