Dan Geer wrote:
In the article they repeat the recommendation that you never
use/register the same shared-secret in different domains ... for
every environment you are involved with ... you have to choose a
different shared-secret. One of the issues of biometrics as a
Dan Geer wrote:
In the article they repeat the recommendation that you never
use/register the same shared-secret in different domains
Compare and contrast, please, with the market's overwhelming
desire for single-sign-on (SSO). Put differently, would the
actual emergence of an
|At 07:59 PM 1/26/2002 -0500, Scott Guthery wrote:
|(A test GSM authentication algorithm, COMP128, was attacked
|but it is not used in any large GSM networks. And it
|was the algorithm not the SIM that was attacked.)
|
|and at Sun, 27 Jan 2002 13:56:13 EST. Greg Rose
In the article they repeat the recommendation that you never
use/register the same shared-secret in different domains ... for
every environment you are involved with ... you have to choose a
different shared-secret. One of the issues of biometrics as a
shared-secret password
On Tue, 29 Jan 2002, Bill Frantz wrote:
What would be really nice is to be able to have the same PIN/password for
everything. With frequent use, forgetting it would be less of a problem,
as would the temptation to write it down. However, such a system would
require that the PIN/password be
Bill Frantz writes:
What would be really nice is to be able to have the same PIN/password for
everything.
Do you really mean that? Sure, if I only have to remember one thing
it is easier for me. It is also a complete nightmare if it is ever
compromised.
--
note however, with regard to the 80 hardware tokens, or 3 hardware tokens,
or 1 hardware token scenario a single or small number of hardware
tokens (with each hardware token having an associated public key registered
multiple places) then can become a personal choice.
The current scenario
At 5:13 AM -0800 1/30/02, [EMAIL PROTECTED] wrote:
Bill Frantz writes:
What would be really nice is to be able to have the same PIN/password for
everything.
Do you really mean that? Sure, if I only have to remember one thing
it is easier for me. It is also a complete nightmare if it is
Bill Frantz wrote:
At 4:06 PM -0800 1/28/02, [EMAIL PROTECTED] wrote:
at least part of the fingerprint as a PIN ... isn't the guessing issue /or
false positives it is the forgetting issue (and the non-trivial number
of people that write their PIN on the card).
Or to state it another
At 4:06 PM -0800 1/28/02, [EMAIL PROTECTED] wrote:
at least part of the fingerprint as a PIN ... isn't the guessing issue /or
false positives it is the forgetting issue (and the non-trivial number
of people that write their PIN on the card).
Or to state it another way. These cards attempt
in the most recent PC magazine (2/12/2002) on the stands ... there is an
article Why Passords Don't Work (pg. 68
In the article they repeat the recommendation that you never use/register
the same shared-secret in different domains ... for every environment you
are involved with ... you have to
On Sat, 26 Jan 2002, [EMAIL PROTECTED] wrote:
At 05:46 PM 1/26/02 -0500, P.J. Ponder wrote:
. . . .
Without think about it some more, I don't know whether to place the entire
notion of security controls based on biometric telemetry in with _pure_
bullshit like copy protection, watermarking,
P.J. Ponder wrote:
Without think about it some more, I don't know whether to place the entire
notion of security controls based on biometric telemetry in with _pure_
bullshit like copy protection, watermarking, non-repudiation, tamper
proofing, or trusted third parties. Admittedly, there is
And what happens when I am unable to press my thumb against the reader
because it is bandaged; or when my thumb ID fails because it was
sliced with a knife.
lets say you are replacing pin'ed magstripe card with a chip card needing
biometric ... say fingerprint (in place of a PIN) along
On Sun, 2002-01-27 at 14:07, [EMAIL PROTECTED] wrote:
The issue then is that biometric represents a particularly
difficult shared-secret that doesn't have to be memorized
Shared secret? People don't leave a copy of their PIN on every water
glass they use.
-- sidney
X9.84 biometric standard some other work means that you could actually
record all ten fingers in the card and any one would be acceptable. I
believe just plain dirty fingers are much more of a problem than a cut.
Simple cut can be read-around ... massive cut affecting the whole finger
is
Last week I had to go to my local INS office to get fingerprinted
(part of the green card process is getting your fingerprints OK'ed by
the FBI (and also presumably stored for future reference)). The
process is computerised, with a low-res scan of all the fingers taken
once, and then each finger
] To: Cryptography Mailing List
Sent by:[EMAIL PROTECTED]
owner-cryptography@wasabis cc:
ystems.com Subject: Re: biometrics
I believe NIST published something about FBI needing 40 minutia standard
for registration in their database.
On tv you see these things about lifting partial prints and then sending
them off to FBI to try and find who the partial print matches with, aka the
FBI better have rather detailed
JI,
Keep in mind that this is the _creation_ of the database entry. Yes,
you want the data in the database to be as completely accurate as
possible. Later, when they only have partial prints, they can perform
a lookups of partial data using the complete database. I think the
same would be
The essential problem I've always seen with biometrics (and one that
Dorothy Denning acknowledged in her recent op ed piece without seriously
examining) is the question of whether it's as efficient to deploy and
manage biometrics safely as it is to deploy and manage some keyed
alternative
At 02:46 PM 1/28/2002, [EMAIL PROTECTED] wrote:
The process took about 20-30 minutes;
Have you been fingerprinted before? Did it take that long in that case? In
my own experience, it only takes a few minutes to be fingerprinted on a
standard card and, in theory, they should be able to build a
On Mon, Jan 28, 2002 at 02:54:57PM -0700, [EMAIL PROTECTED] wrote:
I believe NIST published something about FBI needing 40 minutia standard
for registration in their database.
[reasons why the FBI wants so many minutae deleted]
As an example of the real world, a couple years ago I put
There is some interesting information at http://www.finger-scan.com/
They make the point that finger scanning differs from finger printing
in that what is stored is a set of recognition parameters much
smaller than a complete fingerprint image. So there is no need for a
lengthily process to
almost all security is cost/benefit trade-off.
hardware token chips are somewhat analogous to bank vaults if the bank
vault contains enuf value and somebody is motivated enuf ... they will
attempt to find some way to extract the value. This can be either by
attacking the vault directly ...
On 26 Jan 2002, Perry E. Metzger wrote:
[EMAIL PROTECTED] [EMAIL PROTECTED] writes:
. . . .
C'mon, depending on is-ness is exactly the same cat-and-mouse game
as authentication technologies that depend on have-ness and
know-ness attributes.
I have no idea what the heck you're talking
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At 03:55 PM 1/26/2002 -0500, Perry E. Metzger wrote:
[EMAIL PROTECTED] [EMAIL PROTECTED]
writes:
Not wanting to have extended contest over this,
I'm afraid I'm not letting it drop.
but all these absolutes in
the comments are just too
As much as i have my doubts about biometric systems i cannot let the below
pass.
On Wed, 23 Jan 2002 21:11:23 +0100 Perry E. Metzger [EMAIL PROTECTED] writes:
However, as soon as you lose physical control over the device doing
the measurements or their communications path biometrics become
Folks, while we argue fine points we drift towards irrelevance
[1] National ID in Development (USA Today)
[2] Computer Security, Biometrics Dominate NIST Agenda (Washington Post)
--dan
[1]
National ID in Development
USA Today, 22 January 2002
Federal and state groups are moving to create
I must admit that I worry about the ATMs in places like bars. These
machines do not seem to have a lot of physical protection.
I gather your concern is well placed. I've read reports of little
doozits fitted to bar ATMs that make a copy of your stripe info and
keypad input when you use the
30 matches
Mail list logo
