Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <27998620-def5-c1f6-6adc-bcc9da3dd174@bestmx.net>
Date: Sun, 31 Jul 2016 00:45:52 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Biometrics? No, Thanx.

It has become a dangerous fad to talk about biometrics as a replacement 
for the traditional authentication methods. It is often claimed that 
"passwords are losing battle to biometrics"... Despite the futility of 
the claim, I don't even need to dismiss it. There is one simple physical 
fact that renders this entire "battle" completely impossible.

You can not transfer physical objects over a data network!

For a thoughtful reader this statement is enough to abandon the 
biometric "authentication" attempts. But the market is not lead by 
thoughtful people, therefore I reiterate:

A computer can not internalize your fingerprints.

One interesting consequence of this simple fact is described in "Fingers 
vs Fingerprints", another one is that nobody except the fingerprints 
reading machine has actually witness your fingerprints. I generously 
assume that this hypothetical machine is capable of telling fake 
fingerprints and cut-off fingers from legitimate fingers naturally 
connected to a user's body. Just imagine a machine as perfect as your 
imagination allows -- this can not damage my point. My point is that 
this reading machine is the only actor that actually have your 
fingerprints seen. Therefore this machine itself is the source of your 
fingerprints authenticity. Therefore, in order to transfer this critical 
knowledge into your information system, you must authenticate the 
machine itself. An authentication conformation can not be obtained from 
a non-authentic source (I apologize for stating the obvious, but I had 
to mention it, because security experts could read this article, they 
could be confused otherwise).

So, you did not replace the authentication procedure, you merely shifted 
it to the machine. What are the auth means available in the digital 
realm (machine-to-machine)? -- a knowledge claim, again, nothing else. 
Essentially, it is either a password, or an asymmetrical crypto key, 
either way it is a protected piece of information owned by (contained 
in) a client-side machine. This precious possession effectively adds all 
your fingerprint reading machines to the attack surface -- these 
machines now require special protection. To the possibility of faking 
fingerprints we now added a possibility of faking fingerprints reading 
results. Shall I mention that the keys could be leaked by the 
maintenance personnel?

There is, however, an extremely secure and logically consistent way to 
relieve your fingerprint reading machines from their burden. You can 
delegate these keys to your legitimate users. A machine does not keep 
any keys at all -- in this case no amount of sophistry and hacking 
skills would help a random stranger to create a legitimate fingerprints 
image -- you can sell your machines on a free market as DIY kits... To 
further secure this scheme you can make the keys individual for each 
user, this will protect users from attacks created by other legitimate 
users. Of course, the users should generate their own keys on their own. 
And if you want to secure it all even further, you can introduce a 
password-based encryption of the keys.

...wait!.. why do we bother with those fingerprints then?

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.