Re: biometrics
Dan Geer wrote: In the article they repeat the recommendation that you never use/register the same shared-secret in different domains ... for every environment you are involved with ... you have to choose a different shared-secret. One of the issues of biometrics as a shared-secret password (as opposed to the interface between you and your chipcard) is that you could very quickly run out of different, unique body parts. Compare and contrast, please, with the market's overwhelming desire for single-sign-on (SSO). Put differently, would the actual emergence of an actual SSO signal a market failure by the above analysis? Surely the point about (good) SSO is that you control the domain you share secrets with and that domain then certifies you to other domains - thus avoiding the problem of sharing your secrets across domains. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
SSO (was Re: biometrics)
Dan Geer wrote: In the article they repeat the recommendation that you never use/register the same shared-secret in different domains Compare and contrast, please, with the market's overwhelming desire for single-sign-on (SSO). Put differently, would the actual emergence of an actual SSO signal a market failure by the above analysis? In most SSO schemes, the password is only used to authenticate to a single domain, and (a token attesting to) the fact that the authentication succeded is passed around to other domains. The authenticating domain is typically akin to the user's home domain (as opposed to the user just logging into some arbitrary domain) so the password isn't widely shared. Most of these schemes are web-based, and users that first surf to a non-home domain are redirected (as tranparently as possible) to their local domain for authentication, and something like an authentication ticket is encoded in a cookie or in a return-redirecting URL. M. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
|At 07:59 PM 1/26/2002 -0500, Scott Guthery wrote: |(A test GSM authentication algorithm, COMP128, was attacked |but it is not used in any large GSM networks. And it |was the algorithm not the SIM that was attacked.) | |and at Sun, 27 Jan 2002 13:56:13 EST. Greg Rose answered: |There are two problems with this statement. The first is that while |COMP128 was a demonstration (not test) algorithm, it turns out |that well over half of the deployed GSM systems do in fact use it. |And there is a very interesting paper coming soon to a conference |but the program hasn't yet been announced, so I can't yet say any |more, but it attacks the SIM. Ross Anderson and Markus Kuhn and |their group at Cambridge have done some very impressive work on |getting secrets out of SIMs and smartcards in general. The if you knew what I knew thing always encourages me to, shall we say, write, but notwithstanding that, Ross and Markus, as much as I admire them, are not exactly scalable as attack tools. Perhaps it is because of my workaday preoccupation with helping the user community spend economically rational amounts of money for economically rational amounts of security, but unless someone is about to can Ross__Markus in a script and put that on IRC for our everlasting global amusement, I'd score Round One for Scott. Best, --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
In the article they repeat the recommendation that you never use/register the same shared-secret in different domains ... for every environment you are involved with ... you have to choose a different shared-secret. One of the issues of biometrics as a shared-secret password (as opposed to the interface between you and your chipcard) is that you could very quickly run out of different, unique body parts. Compare and contrast, please, with the market's overwhelming desire for single-sign-on (SSO). Put differently, would the actual emergence of an actual SSO signal a market failure by the above analysis? --dan - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
On Tue, 29 Jan 2002, Bill Frantz wrote: What would be really nice is to be able to have the same PIN/password for everything. With frequent use, forgetting it would be less of a problem, as would the temptation to write it down. However, such a system would require that the PIN/password be kept secret from the verifier (including possibly untrusted hardware/software used to enter it. You could, I suppose, create an algorithm that takes as inputs your single PIN/password and the name of the entity you're dealing with, and produces a daily use PIN/password for you to use with that entity. It wouldn't help much in the daily use arena -- you'd still have to carry all the daily use PINs around in your head - but in the scenario where you forget one, it could be used to recreate it, and it would be a bit more secure than carrying around the sheet of paper where your 20 PINs are all written down. Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
Bill Frantz writes: What would be really nice is to be able to have the same PIN/password for everything. Do you really mean that? Sure, if I only have to remember one thing it is easier for me. It is also a complete nightmare if it is ever compromised. -- Paul A.S. Ward, Assistant Professor Email: [EMAIL PROTECTED] University of Waterloo [EMAIL PROTECTED] Department of Computer Engineering Tel: +1 (519) 888-4567 ext.3127 Waterloo, OntarioFax: +1 (519) 885-1208 Canada N2L 3G1 URL: http://shoshin.uwaterloo.ca/~pasward - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics (addenda)
note however, with regard to the 80 hardware tokens, or 3 hardware tokens, or 1 hardware token scenario a single or small number of hardware tokens (with each hardware token having an associated public key registered multiple places) then can become a personal choice. The current scenario with shared secret demands that a unique shared secret be used in each unique security domain. In the hardware token scenario the same hardware token can be used with multiple unique security domains w/o exposing the ability to originate fraudulent transactions. The biggest exposure is lost/stolen and effectively denial of service. Since these hardware tokens are many more times harder to compromise than evesdropping a pin/password, possibly a thousand times harder (which includes the act of physical theft), then potentially the security profile allows such a token to be used in a hundred different security domains (exposure proportional to difficulty of compromise). This doesn't take into account the human operational factors like memory problems with multiple secret values ... and if there are multiple tokens, each with a large number of security domains, remembering which security domain is associated with which token. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
At 5:13 AM -0800 1/30/02, [EMAIL PROTECTED] wrote: Bill Frantz writes: What would be really nice is to be able to have the same PIN/password for everything. Do you really mean that? Sure, if I only have to remember one thing it is easier for me. It is also a complete nightmare if it is ever compromised. It may be that we gain more from having this data not written down than we lose from the compromise one, compromise all problem. For things like credit/debit/ATM cards, you probably don't increase the risk too much by using the same PIN for all of them. I admit that I use the same password for all those web sites that simply must have a username and password for their own reasons, and not to secure anything of mine. For web sites like Amazon that want to remember a credit card number for you, I generally choose a password that even I can't remember (and paste it into both the entry and verification windows). This means I must set up a new account for every purchase, but that doesn't happen very often. I think Ben is thinking in the right direction when he writes: This is why you need to carry your verifying equipment around with you - a PDA with a decent OS is the way to go, IMO. Lets assume a PDA/smart card with a fingerprint reader for the sake of argument. The device keeps one or more secret keys used to sign challenges, and only signs them if the fingerprint has been recently verified. (Perhaps using the infrared link, you put it near the point of sale computer or you web browsing computer. The computer sends it the challenge and an indication of which public key will be used to verify the authorization. The device shows you your name for the keypair being used, and asks you to press the fingerprint reader to authorize (or click NO to reject authorization).) If we accept Dr. Denning's criterion that the biometric data must be public, anyone who steals this device can, with enough work, fool it into accepting a false finger print. Even with this weakness, such a device is more secure than the current credit card system. If instead of using biometric identity, we use some kind of pass phrase/PIN, we introduce the risk of shoulder surfing, and brute force attacks against the hash(salt || PIN) stored in the device. It may be easier to just extract the signing keys from the device rather than perform the above attacks. If we can build the device so it resists attacks long enough for the user to notice that it is missing, and notify the verifiers, then the above attacks become less of a problem. Cheers - Bill - Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
Bill Frantz wrote: At 4:06 PM -0800 1/28/02, [EMAIL PROTECTED] wrote: at least part of the fingerprint as a PIN ... isn't the guessing issue /or false positives it is the forgetting issue (and the non-trivial number of people that write their PIN on the card). Or to state it another way. These cards attempt to use two factor authentication, what you have (the card) and what you know (the PIN). When a user writes the PIN on the card, it becomes one factor authentication. Almost anything that returns it to being two factor security would be an improvement. (Biometrics offers the possibility of 3 factor authentication. What would be really nice is to be able to have the same PIN/password for everything. With frequent use, forgetting it would be less of a problem, as would the temptation to write it down. However, such a system would require that the PIN/password be kept secret from the verifier (including possibly untrusted hardware/software used to enter it. This is why you need to carry your verifying equipment around with you - a PDA with a decent OS is the way to go, IMO. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
At 4:06 PM -0800 1/28/02, [EMAIL PROTECTED] wrote: at least part of the fingerprint as a PIN ... isn't the guessing issue /or false positives it is the forgetting issue (and the non-trivial number of people that write their PIN on the card). Or to state it another way. These cards attempt to use two factor authentication, what you have (the card) and what you know (the PIN). When a user writes the PIN on the card, it becomes one factor authentication. Almost anything that returns it to being two factor security would be an improvement. (Biometrics offers the possibility of 3 factor authentication. What would be really nice is to be able to have the same PIN/password for everything. With frequent use, forgetting it would be less of a problem, as would the temptation to write it down. However, such a system would require that the PIN/password be kept secret from the verifier (including possibly untrusted hardware/software used to enter it. Cheers - Bill - Bill Frantz | The principal effect of| Periwinkle -- Consulting (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
in the most recent PC magazine (2/12/2002) on the stands ... there is an article Why Passords Don't Work (pg. 68 In the article they repeat the recommendation that you never use/register the same shared-secret in different domains ... for every environment you are involved with ... you have to choose a different shared-secret. One of the issues of biometrics as a shared-secret password (as opposed to the interface between you and your chipcard) is that you could very quickly run out of different, unique body parts. there are large number of different ways of havesting shared secrets (pin, password, or biometric) ... the issue isn't so much whether or not pin, passwords, or biometrics can be harvested it refers to the business process distinction between shared-secret passwords, pins, or biometrics registered in various databases ... and secret passwords, pins, or biometrics that aren't registered in various databases. [EMAIL PROTECTED] on 1/26/2002 10:47 am wrote: 4 Shared secret? People don't leave a copy of their PIN on every water glass they use. -- sidney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
On Sat, 26 Jan 2002, [EMAIL PROTECTED] wrote: At 05:46 PM 1/26/02 -0500, P.J. Ponder wrote: . . . . Without think about it some more, I don't know whether to place the entire notion of security controls based on biometric telemetry in with _pure_ bullshit like copy protection, watermarking, non-repudiation, tamper proofing, or trusted third parties. Admittedly, there is a lot of bullshit in the idea, I'm just not sure it is pure. If you think about it, it's actually a succinct way of categorizing different ways that someone can authenticate themselves. You seem to imply that the only nonbullshit way to do that is a) something you know. I'd say that's been shown to be a pretty weak authentication method when relied on solely. There isn't anything generally wrong with hardware devices or something that 'one has'. Tokens and the like can be cost effective in many applications. I'm working with some folks right now that are looking at hardware dongle-type things for a particular security application. Little hardware gizmos will probably turn out to be a good fit for what they are doing. Nothing wrong with that. People often use password systems poorly, and many password systems permit poor and sloppy use. Still passwords and passphrases can be used effectively. I think the need for maintaining control over the biometric telemetry equipment makes it suitable for a rather narrow range of applications. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
P.J. Ponder wrote: Without think about it some more, I don't know whether to place the entire notion of security controls based on biometric telemetry in with _pure_ bullshit like copy protection, watermarking, non-repudiation, tamper proofing, or trusted third parties. Admittedly, there is a lot of bullshit in the idea, I'm just not sure it is pure. Why are trusted third parties pure bullshit? Surely there are circumstances where a third party really can be trusted? Or are you talking about the tainted meaning of TTPs (i.e. spooks that hold your private keys)? Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
And what happens when I am unable to press my thumb against the reader because it is bandaged; or when my thumb ID fails because it was sliced with a knife. lets say you are replacing pin'ed magstripe card with a chip card needing biometric ... say fingerprint (in place of a PIN) along with chip (in place of magstripe). there are two issues 1) effort to compromise the biometric is still significantly more difficult that a normal 4-digit pin and 2) there seems to be a large population that writes their 4-digit pin number on their card (as well as numerous tricks of capturing the PIN). Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
On Sun, 2002-01-27 at 14:07, [EMAIL PROTECTED] wrote: The issue then is that biometric represents a particularly difficult shared-secret that doesn't have to be memorized Shared secret? People don't leave a copy of their PIN on every water glass they use. -- sidney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
X9.84 biometric standard some other work means that you could actually record all ten fingers in the card and any one would be acceptable. I believe just plain dirty fingers are much more of a problem than a cut. Simple cut can be read-around ... massive cut affecting the whole finger is problem. unless you are talking about blood contamination if band-aid is involved which would have to be removed. What happens when a person forgets their pin (password) (one of the most common customer call center calls ... and represents a significant percentage of total customer call center costs when pin/password support is involved)? One of the reasons that suprising percentage of cards have PINs written on them (and postits with passwords are found near PCs). What happens when person doesn't have any fingers? You can still support pin-pad in parallel ... assuming that pin-pad is acceptable to people w/o any fingers. Next level gets somewhat more expensive ... having pin-pad, finger reader, and say iris scan (recording all ten fingers and both iris (lots of work that not only are all iris unique, even identical twins ... but left right in same person are unique, iris is also possible in most blind people), plus finger-length scan. And what happens when I am unable to press my thumb against the reader because it is bandaged; or when my thumb ID fails because it was sliced with a knife. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Fingerprints (was: Re: biometrics)
Last week I had to go to my local INS office to get fingerprinted (part of the green card process is getting your fingerprints OK'ed by the FBI (and also presumably stored for future reference)). The process is computerised, with a low-res scan of all the fingers taken once, and then each finger is individually rolled and scanned on a much higher resolution scanner. The process took about 20-30 minutes; each finger had to be wiped with some cleaning fluid, the glass on top of the scanner also had to be wiped between scans, and a fingerprinting technician had to roll each of my fingers with the right amount of pressure to get a clear image of the fingerprint. Even with immediate feedback on a large screen showing the fingerprint and how good the scan was, some fingers took as many as five tries to get an acceptable fingerprint. Now, this was a special-built device whose only purpose is to scan fingerprints, operated under ideal conditions by a trained technician. Draw your own conclusions about the effectiveness of mass-produced fingerprint scanners that would be integrated in other devices. /ji -- /\ ASCII ribbon | John JI Ioannidis * Secure Systems Research Department \/campaign| ATT Labs - Research * Florham Park, NJ 07932 * USA /\against | Intellectuals trying to out-intellectual / \ HTML email. | other intellectuals (Fritz the Cat) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
again, the issue is cost/benefit trade-off. The current implementation of pin/magstripe allows evesdropping other techniques to efficiently electronically collect everything need across a potentially extremely large number of different accounts sufficient to perform multiple fraudulent transactions against each one of them. In the card/biometric example sited the water glass example is a total red herring. the card has to be first stolen in order to perform a fraudulent transaction. The claim is that it is more difficult expensive to fake a biometric lifted off the card than it is to fake a pin written on the card (aka it is much more likely a fingerprint of interest can be lifted from the stolen card). This is much more of a exploit than the water glass red herring so the counter is how to make it more difficult that a fingerprint lifted from the card could result in a fraudulent transaction. Sidney Markowitz [EMAIL PROTECTED] To: Cryptography Mailing List Sent by:[EMAIL PROTECTED] owner-cryptography@wasabis cc: ystems.com Subject: Re: biometrics 01/28/2002 10:47 AM On Sun, 2002-01-27 at 14:07, [EMAIL PROTECTED] wrote: The issue then is that biometric represents a particularly difficult shared-secret that doesn't have to be memorized Shared secret? People don't leave a copy of their PIN on every water glass they use. -- sidney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fingerprints (was: Re: biometrics)
I believe NIST published something about FBI needing 40 minutia standard for registration in their database. On tv you see these things about lifting partial prints and then sending them off to FBI to try and find who the partial print matches with, aka the FBI better have rather detailed recording of whatever part of the print that happened to be lifted. That is significantly different than trying to repeat scans in the same way, on nearly identical surface, from the same angle, of a full print etc. and approx. match at least a minimum number of points. By comparison, the fbi might need to have higher number of point match based on only a very specific subarea. That would imply that the needed resolution of valid points on the minimum acceptable sized subarea equivalent to typical matching of a full fingerprint. lets say that FBI wants to do acceptable minutia match on a 15 percent finger subarea (pure conjecture on my part, i've never even read anything about minimum resolution needed in partial print search) ... then presumably the (fbi's) total finger resolution (recording) might need to be six times higher than a straight-foward comparison involving always matching a full-finger to the same full-finger recording using essentially the same methodology each time. Even at that, the straight-forward fingerprint match (as opposed to the partial print search problem) is frequently subject to greasy dirty finger problems. [EMAIL PROTECTED] at 1/28/2002 1:46 pm wrote: Last week I had to go to my local INS office to get fingerprinted (part of the green card process is getting your fingerprints OK'ed by the FBI (and also presumably stored for future reference)). The process is computerised, with a low-res scan of all the fingers taken once, and then each finger is individually rolled and scanned on a much higher resolution scanner. The process took about 20-30 minutes; each finger had to be wiped with some cleaning fluid, the glass on top of the scanner also had to be wiped between scans, and a fingerprinting technician had to roll each of my fingers with the right amount of pressure to get a clear image of the fingerprint. Even with immediate feedback on a large screen showing the fingerprint and how good the scan was, some fingers took as many as five tries to get an acceptable fingerprint. Now, this was a special-built device whose only purpose is to scan fingerprints, operated under ideal conditions by a trained technician. Draw your own conclusions about the effectiveness of mass-produced fingerprint scanners that would be integrated in other devices. /ji -- /\ ASCII ribbon | John JI Ioannidis * Secure Systems Research Department \/campaign| ATT Labs - Research * Florham Park, NJ 07932 * USA /\against | Intellectuals trying to out-intellectual / \ HTML email. | other intellectuals (Fritz the Cat) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fingerprints (was: Re: biometrics)
JI, Keep in mind that this is the _creation_ of the database entry. Yes, you want the data in the database to be as completely accurate as possible. Later, when they only have partial prints, they can perform a lookups of partial data using the complete database. I think the same would be true of mass-produced fingerprint scanners. So long as the backend-database has a full, complete data set, a partial read on the verification step can still match. The question is: what would be the rate of false-positive (or false-negative) readings? -derek [EMAIL PROTECTED] writes: Last week I had to go to my local INS office to get fingerprinted (part of the green card process is getting your fingerprints OK'ed by the FBI (and also presumably stored for future reference)). The process is computerised, with a low-res scan of all the fingers taken once, and then each finger is individually rolled and scanned on a much higher resolution scanner. The process took about 20-30 minutes; each finger had to be wiped with some cleaning fluid, the glass on top of the scanner also had to be wiped between scans, and a fingerprinting technician had to roll each of my fingers with the right amount of pressure to get a clear image of the fingerprint. Even with immediate feedback on a large screen showing the fingerprint and how good the scan was, some fingers took as many as five tries to get an acceptable fingerprint. Now, this was a special-built device whose only purpose is to scan fingerprints, operated under ideal conditions by a trained technician. Draw your own conclusions about the effectiveness of mass-produced fingerprint scanners that would be integrated in other devices. /ji -- /\ ASCII ribbon | John JI Ioannidis * Secure Systems Research Department \/campaign| ATT Labs - Research * Florham Park, NJ 07932 * USA /\against | Intellectuals trying to out-intellectual / \ HTML email. | other intellectuals (Fritz the Cat) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Derek Atkins, Internet and Computer Security Consultant IHTFP Consulting (www.ihtfp.com) [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
The essential problem I've always seen with biometrics (and one that Dorothy Denning acknowledged in her recent op ed piece without seriously examining) is the question of whether it's as efficient to deploy and manage biometrics safely as it is to deploy and manage some keyed alternative like smart cards or other tokens. Once you start embedding crypto secrets into your biometric reader, you are no longer managing biometrics. You're now managing BOTH biometrics AND a bunch of crypto keys. Why not just save yourself the administrative headache, deploy tokens, and use that crypto key for authentication? I'm sure there are applications where biometrics make sense (ATMs, door security, and other closed systems like that) but I just don't see them working in an open system where your main problem is to associate the endpoint with a person. If you also need to separately authenticate the endpoint, and that's what everyone recommends, then the system costs go up even more. My favorite biometric implementation is the fingerprint as PIN token, which several vendors make. There's the Sony Puppy, a credit card calculator sized token with a USB cord and an embedded public key pair. There are also various PCMCIA readers that (apparently) you can plug in to your laptop to provide a biometric lock. My impression, however, is that these readers provide a PIN-like resistance to attack. Once you've cranked the false rejections down to the point that it's convenient, the false positives are approaching PIN levels (2^13 guesses on average). A nice feature of the fingerprint as PIN tokens is, of course, that the print never leaves the card. You still have to worry about images of fingerprints or rubber fingers, of course. The print is a back-up for physical possession. Rick. [EMAIL PROTECTED]roseville, minnesota Authentication in bookstores http://www.visi.com/crypto/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fingerprints (was: Re: biometrics)
At 02:46 PM 1/28/2002, [EMAIL PROTECTED] wrote: The process took about 20-30 minutes; Have you been fingerprinted before? Did it take that long in that case? In my own experience, it only takes a few minutes to be fingerprinted on a standard card and, in theory, they should be able to build a database from high-res fingerprint card images. Some small percentage of the population has prints that are unusually hard to read. It might be time consuming to put such a person's prints onto a card. Or perhaps it takes 20 minutes of ablutions and purifications to copy a fingerprint card, so they figure they might as well make the subject wait, too. Rick. [EMAIL PROTECTED]roseville, minnesota Authentication in bookstores http://www.visi.com/crypto/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fingerprints (was: Re: biometrics)
On Mon, Jan 28, 2002 at 02:54:57PM -0700, [EMAIL PROTECTED] wrote: I believe NIST published something about FBI needing 40 minutia standard for registration in their database. [reasons why the FBI wants so many minutae deleted] As an example of the real world, a couple years ago I put together a working demo of a smartcard authenticated by a fingerprint (the card then went on to participate in SET). The pre-release fingerprint chip I used would regularly grab about 20 minutae, more like 10 on a bad scan (dirty finger, poor position, etc). If you set the macthing parameters to require all minutae to match, you'd get a positive (i.e. match all minutae) on about one in ten scans. And of course the other reason for wanting such good prints is simply that the FBI can demand them. Eric - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Fingerprints (was: Re: biometrics)
There is some interesting information at http://www.finger-scan.com/ They make the point that finger scanning differs from finger printing in that what is stored is a set of recognition parameters much smaller than a complete fingerprint image. So there is no need for a lengthily process to acquire an initial image. Presumably this also makes finger scan data proprietary, since each vendor will use a different recognition algorithm. Finger Scan also has a page on accuracy where they debunk other vendors' claims of 0.01% false reject/ 0.001% false accept, but tell you to e-mail them for the real numbers. Arnold Reinhold At 5:07 PM -0600 1/28/02, Rick Smith at Secure Computing wrote: At 02:46 PM 1/28/2002, [EMAIL PROTECTED] wrote: The process took about 20-30 minutes; Have you been fingerprinted before? Did it take that long in that case? In my own experience, it only takes a few minutes to be fingerprinted on a standard card and, in theory, they should be able to build a database from high-res fingerprint card images. Some small percentage of the population has prints that are unusually hard to read. It might be time consuming to put such a person's prints onto a card. Or perhaps it takes 20 minutes of ablutions and purifications to copy a fingerprint card, so they figure they might as well make the subject wait, too. Rick. [EMAIL PROTECTED]roseville, minnesota Authentication in bookstores http://www.visi.com/crypto/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Limitations of limitations on RE/tampering (was: Re: biometrics)
almost all security is cost/benefit trade-off. hardware token chips are somewhat analogous to bank vaults if the bank vault contains enuf value and somebody is motivated enuf ... they will attempt to find some way to extract the value. This can be either by attacking the vault directly ... or by attacking the infrastructure associated with the vault. I don't believe anybody contends that bank vaults are absolutely impregnable. the following are discussion of upgrading a magstrip payment card (debit, credit, gift, etc) with a chip and requiring (x9.59) digital signed transactions. http://www.garlic.com/~lynn/aadsm2.htm#straw http://www.garlic.com/~lynn/aadsm2.htm#strawm1 http://www.garlic.com/~lynn/aadsm2.htm#strawm2 http://www.garlic.com/~lynn/aadsm2.htm#strawm3 http://www.garlic.com/~lynn/aadsm2.htm#strawm4 http://www.garlic.com/~lynn/aadsmore.htm#bioinfo1 http://www.garlic.com/~lynn/aadsmore.htm#bioinfo2 http://www.garlic.com/~lynn/aadsmore.htm#bioinfo3 http://www.garlic.com/~lynn/aepay3.htm#passwords http://www.garlic.com/~lynn/aepay3.htm#x959risk1 http://www.garlic.com/~lynn/aepay3.htm#x959risk2 http://www.garlic.com/~lynn/aepay3.htm#x959risk3 http://www.garlic.com/~lynn/aepay3.htm#x959risk4 The issue is that the chip is used to do financial transactions ... which have some credit limit characteristics, various types of fraud pattern analysis, capable of reporting card lost/stolen within reasonable period of time, etc. The position is that even w/o PIN /or biometric controlled chip it is still better than today's world where counterfeiting magstripe operation is relatively easy. At least the actual chip card has to be stolen ... as opposed to being able to harvest several hundred thousand credit card account numbers from some webserver and execute large number of fraudulent transactions w/o much additional effort. With a chip having some form of PIN /or biometric control, then even stealing the card isn't sufficient, the chip actually has to be subverted/compromised. The issue then is 1) the cost of stealing the card, 2) cost of performing the compromise operation 3) can the compromise be performed before the card has been reported lost/stolen, 4) can a compromised chip be actually used before the card has been reported lost/stolen. Reversing the question, can a chip be added to an existing magstripe card and does the increased effort required to compromise such a chip (compared to compromise/counterfeit magstripe) reduce fraud sufficiently to justify the cost of the chip (and any associated chip acceptor device infrastructure). misc. card fraud discussion http://www.garlic.com/~lynn/aadsm6.htm#terror7 [FYI] Did Encryption Empower These Terrorists? http://www.garlic.com/~lynn/aadsm6.htm#terror14 [FYI] Did Encryption Empower These Terrorists? (addenda to chargebacks) http://www.garlic.com/~lynn/aadsm7.htm#pcards4 FW: The end of P-Cards? http://www.garlic.com/~lynn/aadsm7.htm#auth2 Who or what to authenticate? (addenda) http://www.garlic.com/~lynn/aadsm7.htm#rubberhose Rubber hose attack http://www.garlic.com/~lynn/aadsm7.htm#rhose4 Rubber hose attack http://www.garlic.com/~lynn/aadsm7.htm#rhose5 when a fraud is a sale, Re: Rubber hose attack http://www.garlic.com/~lynn/aadsm9.htm#carnivore Shades of FV's Nathaniel Borenstein: Carnivore's Magic Lantern http://www.garlic.com/~lynn/aadsm10.htm#risks credit card gift card fraud (from today's comp.risks) http://www.garlic.com/~lynn/aadsmore.htm#debitfraud Debit card fraud in Canada http://www.garlic.com/~lynn/aepay6.htm#fraud Online Card Fraud Thirty Times That Offline http://www.garlic.com/~lynn/aepay6.htm#ccfraud2 out of control credit card fraud http://www.garlic.com/~lynn/aepay6.htm#ccfraud3 out of control credit card fraud http://www.garlic.com/~lynn/aepay8.htm#ccfraud Almost Half UK E-Shopper's Fear Card Fraud (CC fraud increased by 50% in 2k) http://www.garlic.com/~lynn/aepay8.htm#ccfraud2 Statistics for General and Online Card Fraud http://www.garlic.com/~lynn/aepay8.htm#x959paper Credit Card Fraud and E-Commerce: A Case Study http://www.garlic.com/~lynn/aepay9.htm#risks credit card gift card fraud (from today's comp.risks) http://www.garlic.com/~lynn/aepay9.htm#skim High-tech Thieves Snatch Data From ATMs (including PINs) http://www.garlic.com/~lynn/aepay10.htm#3 High-tech Thieves Snatch Data From ATMs (including PINs) http://www.garlic.com/~lynn/aepay10.htm#6 credit card gift card fraud (from today's comp.risks) http://www.garlic.com/~lynn/2001c.html#73 PKI and Non-repudiation practicalities http://www.garlic.com/~lynn/2001f.html#40 Remove the name from credit cards! http://www.garlic.com/~lynn/2001g.html#38 distributed authentication http://www.garlic.com/~lynn/2001h.html#67 Would this type of credit card help online shopper to feel more secure? http://www.garlic.com/~lynn/2001h.html#68 Net banking, is it safe??? http://www.garlic.com/~lynn/2001h.html#75 Net banking, is it safe???
Re: biometrics
On 26 Jan 2002, Perry E. Metzger wrote: [EMAIL PROTECTED] [EMAIL PROTECTED] writes: . . . . C'mon, depending on is-ness is exactly the same cat-and-mouse game as authentication technologies that depend on have-ness and know-ness attributes. I have no idea what the heck you're talking about there. Perhaps you do, perhaps not. . . . . I took 'have-ness' to mean a token, smartcard, i-Button, little gizmo that gens a new number every 60 sec, dongle, whatever; the thread being some physical matter thing like a key. 'Know-ness' I ascribed to passwords, passphrases, things that are known or can be divined from one's internal resources; an epistemological sort of thing. I have heard people say that security can be based on either a) something that you know, b) something that you have, or c) something that you are; usually I have heard this 'security-divided-into-three-parts' idea in the preamble to a sales pitch for something from either b) or c). Without think about it some more, I don't know whether to place the entire notion of security controls based on biometric telemetry in with _pure_ bullshit like copy protection, watermarking, non-repudiation, tamper proofing, or trusted third parties. Admittedly, there is a lot of bullshit in the idea, I'm just not sure it is pure. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 03:55 PM 1/26/2002 -0500, Perry E. Metzger wrote: [EMAIL PROTECTED] [EMAIL PROTECTED] writes: Not wanting to have extended contest over this, I'm afraid I'm not letting it drop. but all these absolutes in the comments are just too simplistic. Devices can be made as tamper-resistant as the threat- and value-model required. No, they can't. That's an engineering hope, not an engineering reality. The hope you're expressing is that well, maybe we can't make it impossible to break this design, but we can make it cost more to break the system than breaking it will bring the bad guy, and we can do that without said tamper-resistance costing us more than we can afford. I've heard rumor of an effort a while back to layer Thermite into a printed circuit board, so that a machine could self-destruct in case of tampering. I doubt it ever got reviewed by OSHA, however. :) -BEGIN PGP SIGNATURE- Version: PGP 6.5.8 iQA/AwUBPFNoY3PxfjyW5ytxEQIvlgCgowahUTOiGYpWHu/YhuJpGSfWzs4An2Cm tiaRwxCxNE51RKtmS6F0f+UF =8jjr -END PGP SIGNATURE- +--+ |Carl M. Ellison [EMAIL PROTECTED] http://world.std.com/~cme | |PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | +--Officer, officer, arrest that man. He's whistling a dirty song.-+ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
As much as i have my doubts about biometric systems i cannot let the below pass. On Wed, 23 Jan 2002 21:11:23 +0100 Perry E. Metzger [EMAIL PROTECTED] writes: However, as soon as you lose physical control over the device doing the measurements or their communications path biometrics become worse than useless. As one example, they're useless for authenticating over-the-net bank account access -- the device on your desk that your bank helpfully provides to scan your eye might not even be attached when the cracker's software helpfully provides forged information down the line. Liveness tests are not useful if you don't even know if the biometric hardware at the other end is intact. Anything in a user's location is by definition untrustworthy in this sense. Of course (and i think Dorothy mentioned this too), the measuring device and it's connection to the veryfying system must be properly protected. In case of the system Perry describes, a secure and fresh (ie fresh session key) link should be setup between the measuring device and the bank, so that eavesdropping _and_ replay/forgery is impossible. Even though most biometric systems may not implement this (i simply don't know), this is not a weakness of biometric systems per se. [Moderator's note: er, HUH? How does the link being realtime assure that the remote side isn't simply generating iris images and sending them to you? It doesn't. Biometrics are worthless except when the entire system is completely physically secure. --Perry] Jaap-Henk -- Jaap-Henk Hoepman | Come sail your ships around me Dept. of Computer Science | And burn your bridges down University of Twente | Nick Cave - Ship Song Email: [EMAIL PROTECTED] === WWW: www.cs.utwente.nl/~hoepman Phone: +31 53 4893795 === Secr: +31 53 4893770 === Fax: +31 53 4894590 PGP ID: 0xF52E26DD Fingerprint: 1AED DDEB C7F1 DBB3 0556 4732 4217 ABEF - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: biometrics
Folks, while we argue fine points we drift towards irrelevance [1] National ID in Development (USA Today) [2] Computer Security, Biometrics Dominate NIST Agenda (Washington Post) --dan [1] National ID in Development USA Today, 22 January 2002 Federal and state groups are moving to create a national ID card that contains fingerprints or magnetic strips, according to officials at the Justice Department and General Services Administration. According to a recent poll, 54 percent of adults support the creation of a national ID card. The figure is lower than those of polls from two month ago, in which two-thirds of adults supported such a move. A group of state officials, meanwhile, is seeking congressional approval to standardize documents for verifying identity when issuing driver's licenses. Sen. Dick Durbin (D-Ill.) has proposed federal funding for developing driver's license standards, including studies on fingerprints, palm prints, iris scans, face scans, or DNA. Durbin's proposals also allow motor vehicle authorities to access databases from the INS, the Social Security Administration, and unspecified law enforcement agencies. The bill would make the driver's license more reliable, he said. Similarly, the American Association of Motor Vehicle Administrators wants Congress to pass laws to fund a data-sharing network between the license agencies and federal agencies. Privacy advocates believe that the public will eventually come out in opposition of a national ID system. [2] Computer Security, Biometrics Dominate NIST Agenda By Brian Krebs, Newsbytes. WASHINGTON, D.C., U.S.A., 16 Jan 2002, 4:33 PM CST The events of Sept. 11 and the subsequent anthrax attacks have caused a major shift in priorities for the National Institute of Standard Technology, prompting the agency to double its efforts to develop new standards for everything from security scanners to biometrics to computer security, the agency's new chief said today. NIST Director Arden Bement said while many of the projects were begun prior to Sept. 11, the non-regulatory agency's new role in the Bush administration's Homeland Security initiative has added a sense of urgency to the mix. September 11 really focused our activities and gave them a sense of immediacy, Bement said in a meeting with reporters today. Our primary goal now is to take whatever technologies are available for application and to develop standards and test methods (that will) make them available to the public as quickly as possible. Bement said NIST is just a few months away from announcing a new biometric standard that will be used to confirm the identity of people seeking U.S. visas or using a visa to enter the United States. NIST also is working with the Biometric Consortium, which represents hundreds of companies that are developing technologies to identify people by their individual physical characteristics, such as thumbprints, facial recognition technology, iris and retinal scans. The biometric standards chosen by NIST could allow one or two technologies to gain early adoption and a strong foothold in an increasingly crowded market. Bement said biometric identifiers are being considered as a prerequisite for entry into government buildings, and the states are pushing ahead on a plan to link an as yet undetermined biometric technology to identity cards and driver's licenses. NIST also is working to develop more effective security standards for wireless communication networks, and is prepared to assume an even greater role in developing computer security standards for the federal government. I expect that role will expand significantly, Bement said. NIST recently released an updated standard for encryption technology that will soon be used to beef up security for a range of electronic transactions, from e-mail to e-commerce to ATM withdrawals. The agency also is bracing for more responsibility over the computer security standards adopted by the federal civilian agencies. Rep. Tom Davis, R-Va., chairman of the House Government Reform subcommittee on technology and procurement policy, is drafting legislation to reauthorize the Government Information Security Reform Act, a law passed in November 2000 that requires federal agencies to assess and test the security of their non-classified information systems. Davis plans to add a provision to the bill that would require NIST to establish minimum technology and security standards that all agencies must follow. NIST also is crafting new standards to protect the nation's most critical infrastructures, Bement said. The software that monitors and regulates the distribution of juice over the national power grid, for example, is not yet completely integrated. Grid control is a major issue now ... because a lot of the monitoring of power flows on the grid is done with different types of software and standards, Bement said. There's a fair amount of work necessary to raise the level of security so it can't
Re: biometrics and not so secure hardware
I must admit that I worry about the ATMs in places like bars. These machines do not seem to have a lot of physical protection. I gather your concern is well placed. I've read reports of little doozits fitted to bar ATMs that make a copy of your stripe info and keypad input when you use the machine, always removed when the bank guy comes to fill it up. Biometry swiping should be equally possible, since it's just bits to the ATM. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]