Re: link fest on fingerprint biometrics

2006-09-09 Thread Krister Walfridsson 


On Thu, 7 Sep 2006, Travis H. wrote:


At home I have an excellent page on making fake fingerprints, but I
cannot find it
right now.  It used gelatin (like jello) and was successful at fooling a 
sensor.


I did find this, which reports success with gummi bears:
http://msn.pcworld.com/article/id,116573-page,5/article.html

[...]

If anyone can give me any fingerprint-related links, particularly
about spoofing/breaking
them, I would be grateful.


I have never understood the hype around creating fake fingers; looking
at the technology behind the sensors makes it rather obvious that
it is possible -- in fact, there is a discussion within ISO JTC1/SC37
(the ISO group standardizing biometrics) about evaluating the quality
of images produced by fingerprint scanners by using a synthetic finger 
created following a standardized procedure [1] in order to get 
reproduceable results.


But I agree that it is sounds cute that you can create fake fingers out
of gummy bears...

One IMHO more interesting question is the FAR (False Accept Rate = the
probability that an impostor is accepted) of the algorithm.  (And I
note that some of the gummy finger articles I have read have been done
with algorithms with low enough FAR that the author could have got a match
by inviting ~5 friends to try to match against his finger...  This is
probably a more realistic attack, but it also mean that the fake finger
may work even if it look rather different from the real fingerprint.)

It can be a bit hard to get relevant numbers from vendors, but NIST has
recently done extensive testing using real world data.  The result [2]
gives a detailed picture about the performance of fingerprint systems
(the Minex test was however done using standardized templates; the result
of each vendor is in general much better when using proprietary templates.
See e.g. [3] for an older test using proprietary templates).

The NIST image group web site [4] has more nice stuff, including a rather
good implementation of a fingerprint matcher.  I can also highly recommend
the book [5] in case you are really interested in algorithms for 
fingerprint recognition...


   /Krister


[1] Document 37N0847 and 37N1661 in case you have access to the SC37
document archive.

[2] http://fingerprint.nist.gov/minex04/index.html

[3] http://fpvte.nist.gov/index.html

[4] http://fingerprint.nist.gov/

[5] Handbook of Fingerprint Recognition
Davide Maltoni, Dario Maio, Anil K. Jain, Salil Prabhakar

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Are new passports [an] identity-theft risk?

2004-10-25 Thread Krister Walfridsson 
On Fri, 22 Oct 2004, Perry E. Metzger wrote:
I don't know who *else* has said it, but I've said this repeatedly at
conferences. With phased arrays, you should be able to read RFID tags
at surprising distances, and in spite of attempts to jam such signals
(such as RSA's proposed RFID privacy mechanism).
One thing that I have seen confuse people writing about the
new passports is that RFID may mean different technologies.  So
I'd like to mention that the passports will not use the simple
bar-code kind of RFID tags -- they will use chip cards
communicating over ISO/IEC 14443.
The current technology has big problems with working at a distance
(in fact, the tests done with COTS 14443 readers shows that most
have problems with reading passport-like cards even when placed at
the optimal distance...), but I don't know enough about antenna
technology to be able to guess what can be done by a dedicated
attacker...
   /Krister
PS.  Most of the MRTD (Machine Readable Travel Documents) specifications
are available at http://www.icao.int/mrtd/Home/index.cfm.
PPS. Most people on this list seems to be interested in the US
passport, so you may be interested in that the US department of
state, and department of homeland security, seems to be doing a
pilot of the new passport.  The RFP is available from:
  http://www.statewatch.org/news/2004/jul/us-biometric-passport-original.pdf
with some consolidated Q and A at
  http://www.statewatch.org/news/2004/jul/us-biometric-passport-QandA.pdf
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]