Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAPZbWncGi8L7OkotuHnajwKutYEmPnY8oYc6gwG8yeMY0wPTNA@mail.gmail.com>
Date: Wed, 8 May 2019 20:50:33 +0900
From: Seong-Joong Kim <sungjungk@...il.com>
To: oss-security@...ts.openwall.com, Drahtmueller <draht@...altsekun.de>, 
	Noel Kuntze <noel.kuntze+oss-security@...rmi.consulting>
Subject: Re: Re: fprintd: found storing user fingerprints
 without encryption

I am sorry to say that I am not familiar with this mailing list.

I am not insisting that encryption key should be on the disk or is
encrypted with a static key that is embedded in the binary.
Instead, we can make fprintd to use a TPM, if available.
Otherwise, but even though it is not perfect, it would be better to apply
the fingerprint data protection, such as keyring or access control, rather
than raw fingerprint template.
FYI, Windows Hello might use Next Generation Cryptography (called CNG) to
protect and store user private data and encryption keys.

> I think that this is similar approach with Lenovo Fingerprint Manager,
Microsoft Windows Hello and other products.

Have you read the following papers about fingerprint image reconstruction
technology from standard templates?
[1] R. Cappelli et al., “Fingerprint Image Reconstruction from Standard
Templates”, IEEE Trans. on Pattern Analysis and Machine Intelligence,
vol.29, no.9, pp.1489-1503, 2007.
[2] A. Ross et al., “From template to image: Reconstructing fingerprints
from minutiae points”, IEEE Trans on Pattern Analysis and Machine
Intelligence, vol.29, no.4, pp.544-560, 2007.
[3] R. Cappelli et al., “Can Fingerprints be reconstructed from ISO
Templates?”, IEEE ICARCV 2006.
[4] J. Feng et al., “Fingerprint Reconstruction: From Minutiae to Phase”,
IEEE Trans on Pattern Analysis and Machine Intelligence, vol.33, no.2,
pp.209-223, 2011.
[5] A. Rozsa et al., "Genetic Algorithm Attack on Minutiae-Based
Fingerprint Authentication and Protected Template Fingerprint Systems",
CVPR 2015.

>They presents methods to create sophisticated and natural-looking
fingerprints only from the numerical template data.
>They successfully evaluate this approach against a number of undisclosed
state-of-the-art algorithms and the NIST Fingerprint Image Software.

Lastly, as you mentioned,  it is a stupid idea to use it for various
authentication.
But, it is still working on various authentication/identification system.


> 2019년 5월 8일 (수) 오후 7:24, Noel Kuntze
> <noel.kuntze+oss-security@...rmi.consulting>님이 작성:
>
>> Am 08.05.19 um 12:04 schrieb Seong-Joong Kim:
>> > 2019년 5월 8일 (수) 오후 6:29, Noel Kuntze
>> <noel.kuntze+oss-security@...rmi.consulting>님이 작성:
>> >
>> >     Hello List,
>> >
>> >     Am 08.05.19 um 11:19 schrieb Roman Drahtmueller:
>> >     >>> Dear all,
>> >     >>>
>> >     >>> I would like to report a vulnerability of 'fprintd'.
>> >     >>>
>> >     >>> 'fprintd' does not encrypt sensitive information before storage.
>> >     >>> *CWE-311: Missing Encryption of Sensitive Data*
>> >     >
>> >     > [...]
>> >     >
>> >     > This misses the point.
>> >     >
>> >     > * Encryption shifts the problem to protecting the symmetric key,
>> which
>> >     >   is the very same problem. => Encryption solves other problems,
>> but not
>> >     >   this one.
>> >     > * If you have sufficient privileges to access the fingerprint
>> data,
>> >     >   then you no longer need the data.
>> >     > * You can't "safeguard" the fingerprint data by applying
>> additional O/S
>> >     >   controls such as SELinux, AppArmor, etc, you can only add more
>> useful
>> >     >   privilege transitions and protect against attacks that exploit
>> >     >   implementation errors. Google "store fingerprint data ios
>> android",
>> >     >   there are suitable solutions.
>> >     >
>> >     > Mostly: Your fingerprint is not a secret like a password, it is a
>> username.
>> >     >
>> >     > Since you can't change the fingerprint (biometrics problem), it
>> is not very useful as a single authentication factor. Either you live with
>> this, or you combine the fingerprint with a different authentication factor
>> type.
>> >     >
>> >     > Roman.
>> >
>> >     Another argument: You leave your fingerprint on everything you
>> touch. The glass you drank from at the bar on Saturday evening? That has
>> your fingerprints. Your front door? It has those, too.
>> >     Fingerprints aren't sensitive information. The only entities
>> attributing any sensitivity to them are the following: Court systems where
>> fingerprints are allowed as evidence (although it's stupid because you can
>> easily duplicate fingerprints) and companies/persons using fingerprints for
>> authentication (which for the same reason as previously mentioned is not a
>> good idea).
>> >     And as Roman mentioned already, you can't change your fingerprints
>> easily (Sand paper and acids are your friends, but that's not comfortable
>> at all and compromises your ability to hold things in your hands. So don't
>> to that.).
>> >
>> >     If, for some reason, you still want to "securely" (at least with a
>> higher level of security than plain text) store your fingerprint, you need
>> to use a hardware backed kernel keyring that stores the encryption keys or
>> use a hardware based security solution for storing the fingerprints in the
>> first case. You likely won't find any such solution though that isn't
>> broken already in some regard.
>> >
>> >     Kind regards
>> >
>> >     Noel
>> >
>> >     --
>> >     Noel Kuntze
>> >     IT security consultant
>> >
>> >     GPG Key ID: 0x0739AD6C
>> >     Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>> >
>> > In Microsoft's Windows Hello, fingerprint data is kept locally on
>> user's PC in an encrypted way while Linux does not, even though they are
>> based on same fingerprint reader hardware.
>> > Windows Hello may use Next Generation Cryptography (called CNG) to
>> protect and store user private data and encryption keys.
>> > (see
>> https://support.microsoft.com/en-au/help/4468253/windows-hello-and-privacy-microsoft-privacy
>> )
>> >
>> > Lenovo's Fingerprint Manager Pro also stores user's fingerprints
>> encrypted in its local environment.
>> > In this regard, a flaw was discovered in Lenovo Fingerprint Manager Pro
>> (see CVE-2017-3762).
>> > (see
>> https://thenextweb.com/security/2018/01/26/lenovo-fingerprint-manager-flaw-windows/
>> )
>> >
>> > Moreover, FireEye researchers Tao Wei and Yulong Zhang outlined new
>> ways to attack Android devices to extract user fingerprints at Black Hat
>> USA 2015 (see Fingerprints On Mobile Devices: Abusing and Leaking?).
>> > (see
>> https://www.zdnet.com/article/hackers-can-remotely-steal-fingerprints-from-android-phones/
>> )
>> >
>> >
>> > This vulnerability could allow a process to access the stored
>> fingerprint and then it can be reverted to natural-looking original
>> fingerprint image.
>> > It allows the attacker to impersonate a legitimate
>> authentication/identification by using stolen fingerprints.
>> >
>> > Once fingerprint has been leaked, victims are leaked for the rest of
>> life since it lasts for a life.
>> > Moreover, fingerprints are usually associated with every citizen’s
>> identity and immigration record.
>> > It would be a hazard if the attacker can remotely harvest fingerprints
>> in a large scale.
>> >
>> > What do you think of it?
>> >
>> (I moved your message down because evidently people bottom post here.
>> Don't top post.)
>>
>> Hello,
>>
>> You do realize that every secret that is stored in a way that is readable
>> by software without authentication that is independent of any software
>> running on the host is in fact readable, right?
>> It is irrelevant if you encrypt your "secret" storage with a key that is
>> on the disk or is encrypted with a static key that is embedded in the
>> binary. It's on the same level of security as storing it in plain text
>> regarding attackers that have access to the host on a software level. What
>> Windows Hello does is only any more secure if the key storage is backed by,
>> for example, a TPM that needs to be unlocked first using attestation. The
>> whole problem reverts to securing a host against intrusion via software in
>> this scenario.
>>
>> > This vulnerability could allow a process to access the stored
>> fingerprint and then it can be reverted to natural-looking original
>> fingerprint image.
>>
>> That is only the case if an actual picture is stored. If you only store
>> any detected minutiae, you can't revert to an image. That's because the
>> detection of the minutiae is fuzzy and every measurement is different.
>>
>> > Once fingerprint has been leaked, victims are leaked for the rest of
>> life since it lasts for a life.
>> > Moreover, fingerprints are usually associated with every citizen’s
>> identity and immigration record.
>> > It would be a hazard if the attacker can remotely harvest fingerprints
>> in a large scale.
>> >
>>
>> Yes, exactly like I mentioned. It's a stupid idea to use it for any type
>> of authentication, verification or evidence.
>>
>> Kind regards
>>
>> Noel
>>
>> --
>> Noel Kuntze
>> IT security consultant
>>
>> GPG Key ID: 0x0739AD6C
>> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>>
>>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.