...you might be right. But then they must have some kind of encryption key for encrypting passwords inside their (proprietary) software, if they don't store the passwords unencrypted in the database. If someone cracks their software he could find the key and decrypt all passwords stored in the database. However, for open source software this is not akzeptable because everyone can find this key in the sources.
If there is really noone who has a better idea, I'll try it to make the following way in Fingerprint GUI: - A primary key for encrypting passwords stored along with the application on the host machine; - The password database containing the encrypted user passwords stored in an external medium (USB stick, floppy disk or the like); - If the application finds the medium containing the password database at login time, it decrypts the user's password and hands it over to PAM; - Any application (gnome-keyring etc.) can use PAM to obtain the password if allowed by PAM configuration. Then it is up to the user not to leave the USB stick in the host after a login and no to lose the computer along with the stick at the same place. I would be interested to hear what others say to this proposal. BTW: The "libbsapi" from UPEK has a function to store some "user data" to the device. But reading this data is possible for everyone and is not "released" by some fingerprint. Also afaik the data doesn't persist over a power down. Wolfgang Ullrich Am Mittwoch, den 29.10.2008, 10:16 +0000 schrieb Daniel Drake: > Wolfgang Ullrich wrote: > > ...this is a problem I thing over since some weeks also. > > For me it would be nice to have some kind of a "pattern" that is always > > the same for a given fingerprint. This could be used as a > > "password" (after some translation into a human readable form) and then > > be given to PAM after a fingerprint login. This way we could overcome > > the requirement of giving a password to gnome-keyring (for example) > > after fingerprint login. > > > > Some vendors like UPEK have solutions (password-safes or drive > > encryptions) that are unlocked by a fingerprint. I could imagine they > > need such a pattern derived from a fingerprint as an "unlock-key". So I > > suspect there must be a way to derive a "constant pattern" from a > > fingerprint. > > What vendors normally do is store the passwords in a database on disk, > as well as enrollment data for the fingerprint. Then when the finger is > scanned, it is compared to the enrollment data, and if successful then > the software accesses the password database. > > I believe UPEK do something a little more advanced - they encrypt the > database and store the encryption key inside the fingerprint reader. The > hardware only "releases" the key when the hardware-based fingerprint > matching returns positive. Regardless, the hashing problem still exists > (to my knowledge). > > Daniel > > _______________________________________________ fprint mailing list [email protected] http://lists.reactivated.net/mailman/listinfo/fprint
