|
Message-ID: <alpine.LNX.2.02.1905081051030.29468@i8.fpunygfrxha.qr> Date: Wed, 8 May 2019 11:19:29 +0200 (CEST) From: Roman Drahtmueller <draht@...altsekun.de> To: oss-security@...ts.openwall.com, Seong-Joong Kim <sungjungk@...il.com> Subject: Re: Re: fprintd: found storing user fingerprints without encryption >> Dear all, >> >> I would like to report a vulnerability of 'fprintd'. >> >> 'fprintd' does not encrypt sensitive information before storage. >> *CWE-311: Missing Encryption of Sensitive Data* [...] This misses the point. * Encryption shifts the problem to protecting the symmetric key, which is the very same problem. => Encryption solves other problems, but not this one. * If you have sufficient privileges to access the fingerprint data, then you no longer need the data. * You can't "safeguard" the fingerprint data by applying additional O/S controls such as SELinux, AppArmor, etc, you can only add more useful privilege transitions and protect against attacks that exploit implementation errors. Google "store fingerprint data ios android", there are suitable solutions. Mostly: Your fingerprint is not a secret like a password, it is a username. Since you can't change the fingerprint (biometrics problem), it is not very useful as a single authentication factor. Either you live with this, or you combine the fingerprint with a different authentication factor type. Roman.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.