To rephrase in language of security;
The requirement is a non-repudiable, non-forgeable, single identity token. The mooted solution is iris scanning, because it is unique, and supposedly hard to copy. The premise is that this can be used solely on the basis of "something you have or are" as opposed to the time-honored double verification of "something you have and something you know". Applying basic logic, this means that the mooted solution is only valid if the token (the iris) is indeed cryptographically validly (meaning more complex than the equivalently acceptable crypto algorithm is to crack or spoof) non clonable/stealable for the required level of access. Since you can always kidnap someone or their family, and hold a gun to their head to make them scan their own real eye, and if there is no secondary authentication that could allow for a "I've been compromised" response, the whole concept of iris scanning as a single token is busted. The invalidity of just scanning an iris as a means of access control and authentication has nothing to do with the uniqueness of the iris, and everything to do with the ease of acquiring a particular iris with the access you require. Absent the ability to further authenticate the legitimacy of the access request, to include appropriate response to duress (don't lock out, allow access and then interdict), any access control method fails the basic logic of defense against probable attack scenarios. From: [email protected] [mailto:[email protected]] On Behalf Of Dan Kaminsky Sent: Friday, August 06, 2010 4:27 PM To: [email protected] Cc: [email protected] Subject: Re: [funsec] To see why iris scanning can be a biometric ... Anything can be a biometric. The problem is we leak the damn things all over the place. On Fri, Aug 6, 2010 at 8:18 PM, Rob, grandpa of Ryan, Trevor, Devon & Hannah <[email protected]> wrote: http://www.photographyserved.com/Gallery/Your-beautiful-eyes/428809 ====================== (quote inserted randomly by Pegasus Mailer) [email protected] [email protected] [email protected] After the rush is over, I'm going to have a nervous breakdown. I've worked for it, I owe it to myself, and nobody is going to deprive me of it. victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
