Re: Levels of security according to the easiness to steel biometric data
Hi, > QUESTION: Does anybody knows about the existence of a > security research in area of grading the easiness to > steel biometric data. There are several relevant threats: * Accidental leaking the biometric data (colour-photos for face, fingerprints on glasses for fingers, public documents for human signature) * Intentional stealing of biometric data (cellphone cameras, hidden cameras, ...) > For example, I guess that stealing information of > someone's "face" is easier than stealing information > about someone's "fingerprints", Depends. Stealing fingerprints is easy if you hand the target person a glass of water. With "face" you have to differentiate between the different kinds of faces. Taking colour photos of faces is easy. Taking infrared photos of faces, or taking 3D scans of faces, ... is much harder. > but stealing information about someone's "retina" > would be much harder. Yes, stealing retina is harder. (It's even harder in the normal usage ...) > Such a scale can be useful in the design of secure > protocols and secured information systems. Yes. Choosing the right biometrics for the right application, implementing it correctly and educating/training the users properly can be challenging. But in the end, you can steal any biometric data if you really want to. (Take a look at the film Gattaca to see how this can be done in practice. I didn't noticed any technically really unrealistic things in the film Gattaca.) Another important question is whether you can apply a faked/copied biometric at a certain place. It could be difficult to mount an attack with a full face mask at a guarded entrypoint. But applying fake fingerprints is far less noticable for guards. (It might be easy to steal the face, but you can't apply it due to all entries being guarded) Tamper evidence, Tamper protection, Tamper proof, Tamper resistance ... As usual, it depends on your threat-models, on your environment, on your resources, on your enemies, ... Best regards, Philipp Gühring - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Levels of security according to the easiness to steel biometric data
In article <[EMAIL PROTECTED]>, Danilo Gligoroski <[EMAIL PROTECTED]> writes >For example, I guess that stealing information of >someone's "face" is easier than stealing information >about someone's "fingerprints", >but stealing information about someone's "retina" >would be much harder. if you meant "retina" then yes, but if you meant "iris" then no http://www.cl.cam.ac.uk/~jgd1000/afghan.html -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Levels of security according to the easiness to steel biometric data
I believe ISC2 (https://www.isc2.org/ ) did some testing and published their findings. Maybe someone from ISC2 on this list can give you the exact reference to that material. saqib http://doctrina.wordpress.com/ On Mon, Mar 31, 2008 at 11:10 AM, Danilo Gligoroski <[EMAIL PROTECTED]> wrote: > Hi, > > > Probably you have heard about this: > > CCC publishes fingerprints of German Home Secretary > Date: 31 March 2008 > Source: Heise.de > > In a protest against the use of biometric data, the > Chaos Computer Club (CCC) has taken a step that will > raise a few eyebrows in the current issue of its > club magazine Die Datenschleuder, the hackers have > published the fingerprint of German Home Secretary, > ... > Link: http://www.liveleak.com/view?i=b29_1206968252 > > > > QUESTION: Does anybody knows about the existence of a > security research in area of grading the easiness to > steel biometric data. > For example, I guess that stealing information of > someone's "face" is easier than stealing information > about someone's "fingerprints", > but stealing information about someone's "retina" > would be much harder. > > > Such a scale can be useful in the design of secure > protocols and secured information systems. > > > Danilo Gligoroski! > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: how to read information from RFID equipped credit cards
Victor Duchovni <[EMAIL PROTECTED]> writes: >Lock USB down completely, or block most devices and allow approved ones? >There is a non-empty set folks doing the latter, which opens the possibility >of this type of device being permitted, while others are restricted. Lock it down completely. What really panicked the mgt. wasn't so much the thought of their data appearing on other organisations' networks but cases where other organisations' data had appeared on *their* network (due to, in some cases, overzealous employees, in another case an outside contractor, and in another someone who wanted to sell them "commercially useful information"). >Data leakage should not be a concern if the device is built/marketted >correctly. You want to explain that to management terrified of criminal prosecution? I got the feeling from talking to the IT security guy in the case of the suspected commercial espionage that the management really wanted to pour quick-setting concrete into the USB ports just to be absolutely sure. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Privacy as Contextual Integrity - A lecture by Dr. Nissembaum of NYU
Dr. Helen Nissenbaum of NYU gave an extremely interesting, engaging and stimulating lecture entitled "Privacy in Context" at UC Berkeley: http://security-basics.blogspot.com/2008/04/fde-privacy-as-contextual-integrity.html (audio recording and lecture notes) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Double Encryption Q
Quick system scenario: You have packet [A]. It gets encrypted using an AES algo in a particular mode and we are left with [zA]. More data [B] is added to that encrypted packet. Now I have [zA]+[B] in one packet and I re-encrypt it with the same algo/key/mode. Have I just compromised the security somehow? I wasn't aware of anything but something about this double encryption made something ring in my mind so I wanted to double check... Many thanks, Mr Pink - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Pi, randomness, entropy, unpredictability
I've been working on the "randomness and unpredictability" this morning instead of doing my taxes, and found these links: http://crd.lbl.gov/~dhbailey/pi/ http://pisearch.lbl.gov/ The section on randomness, entropy, etc. is here: http://www.subspacefield.org/security/security_concepts.html#tth_sEc20 The formatting on the PDF is better: http://www.subspacefield.org/security/security_concepts.pdf Currently the section begins on page 72. Please tell me what you think. -- Crypto ergo sum. https://www.subspacefield.org/~travis/ My password is easy to remember; it's the digits of Pi. All of them. If you are a spammer, please email [EMAIL PROTECTED] to get blacklisted. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Still locked up Shannon crypto work?
"Consider Shannon. He didn’t do just information theory. Several years before, he did some other good things and some which are still locked up in the security of cryptography." Shannon's crypto work that is "still [1986] locked up"? This was said (*) by Richard W. Hamming on March 7, 1986. Hamming, who died when he was almost 83 years old in 1998, was then a Professor at the Naval Postgraduate School in Monterey, California. He was also a retired Bell Labs scientist. Does anyone about this or what it could be? Or if Hamming was incorrect? (*) http://magic.aladdin.cs.cmu.edu/wp-uploads/hamming.pdf (BTW, this was a great talk!) Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
2factor
Anyone know anything about a company called 2factor (2factor.com)? They're pushing a system based on symmetric cryptography with, it appears, some kind of trusted authority. "Factor of 100 faster than SSL". "More secure, because it authenticates every message." No real technical data I can find on the site, and I've never seen a site with so little information about who's involved. (Typically, you at least get a list of the top execs.) Some ex-spooks? Pure snake oil? Somewhere in between? -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]