Bernhard Froehlich wrote: > David Irvine wrote: >> Sorry of this mail is a bit off the line and discussed a thousand times. >> 'But' >> >> What's peoples opinions on beating keyloggers and does biometrics help >> at all, i.e if a fingerprint scanner gets logged then is this worse >> cause you cant really change your finger? >> >> Just looking for opinion - if I am not asking the correct type of >> question please ignore this. >> >> David >> > First of all I don't have much experience with biometric scanners, so > I may be off the mark with my guesses... > > As I understand it a fingerprint scanner does not send the fingerprint > itself to the computer but uses the fingerprint to unlock an internal > storage containing a private key (or maybe a password). So you don't > have to contact a surgeon if your machine is compromised, just storing > a new key in the device should suffice. ;) > > Now, I guess most (if not all) biometric scanners used for logon are > recognized by the OS as a smartcard reader, where the fingerprint just > replaces the PIN (which would normally have to be entered using the > cardreader's pinpad). If that's the case the keylogger will not > compromise your login credentials, since usually the keyboard is not > used at all. And even if the logger could snoop the communication > between computer and the device it could only read the OS's challenge > and the device's response (which would be the signed challenge), which > is quite useless unless you can provoke the OS to reuse the challenge. > > So keyloggers should be no problems if the device works like outlined > above. Typically the vector of attack on such a device would be to > steal the device and trying to trick it into unlocking it's storage > without the correct finger being placed on the sensor. Which might be > as easy (this would surely depend on the quality of the sensor) as > placing an adhesive tape with the owner's fingerprint on it on the > sensor... > > But I agree, this is a bit off-topic on this list. ;) > > Hope it helps anyway. > Ted > ;) > Many thanks for replying - your right I am a bit off topic (and I hope I don't need a surgeon for being so ;-) ) but I suppose it is slightly related to the securing of info. I think you are correct in your assumption for some readers. I am thinking along the lines of a public reader i.e. one which anybody can finger swipe to get access to data and therefore the digitised stream may be sent somewhere. I am using the premise that any non encrypted data stream on a PC can be captured.
My thoughts were that if it were possible to have an encrypted (PKI) copy of this stream that only the server could decrypt (if there was a server) or an application could decrypt, can such devices create a secure link between them and a server or application to transmit this, and if so can it be easily compromised (everything can to some degree I suppose). Apart from that what is the most effective way of entering a password to stop keyloggers I have been racking my brain thinking of a defeat for them but can't come up with one yet although I'm sure there is an answer somewhere. I even thought of using the reverse ssh crack from a while back (measuring delay between keypresses) but a key logger could simply timestamp each key. In a distributed network you could use an algorithm of some sort to initiate a bit of code in several computers to calculate pass - but again it can be easily broken (well my thoughts so far). My concern is that I have a p2p app which needs AES / RSA etc. and therefore a pass at some time - can't use a server so kerberos / single pass etc. is a no goer. I have followed this list for onl a very short period but have researched ways to get better security on entering pass - after that we have all sorts of tools in openssl but it's the weak bit of the chain that I am looking to make better, or at least get some good advice for others to also follow. So far 1: A bio reader that stores a pass seems to be quite good (although personalised) 2: A bio reader that can encrypt and secure a link between it and authority mechanism (server or app) would be better - not personalised. 3: A passphrase - well this is the issue - we can make them stronger by running through pbkdf2 etc. but it's the entering that's not right (insecure). Problem software or hardware loggers (think worst case - hardware) can read anything we input to screen mouse or keyboard so 1: Are they easy to detect (NO!) 2: Can they be fooled by cut paste etc. / NO many read clipboard So assuming somebody can SEE everything we type or move the mouse to (images etc.) what can be done ? And that's the question - please tell me if there's a more suitable place to ask this and I will as this list os very very good and I don't want to be the cause of any pollution. Many thanks for your patience. David
begin:vcard fn:David Irvine n:;David Irvine org:Ayrshire Business Consulting Ltd. adr:;;3 Wellington Square ;Ayr;Ayrshire;KA71EN;Scotland email;internet:[EMAIL PROTECTED] tel;cell:+44(0)7977583031 x-mozilla-html:TRUE url:http://www.open-source-consulting.org version:2.1 end:vcard
