Biometrics security.

As I understand it, a fingerprint scan file will take up only around 500 bytes, and a retinal scan only 90 or so. This being the case is it not relatively easy to iterate all the possible byre combinations (for the retinal scan at least), in order to break the security?

LVL 17
krakatoaAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
chris_calabreseConnect With a Mentor Commented:
That doesn't mean there aren't problems with biometrics.
1) All fingerprint scanners currently on the market are susceptable to spoofing using a very thin latex fingerprint mold placed over a real finger
2) Many biometric implementations send the biometric hash (the 500 byte or 90 byte part) over the network in the clear without any protections against replay, just like a clear-text password.

The ways to deal with these issues are
1) Don't use pure fingerprint, but fingerprint + PIN
2) Make sure your biometric software encrypts _and_signs_ all biometric data as its transported on the network
0
 
skyflash_deConnect With a Mentor Commented:

Eh... no.
You will still have to deal with all the delays that the mechanism accepting your input will induce.

You cannot just bruteforce it.

Also, 90 BYTES is not a short password, even if you CAN directly bruteforce it.

1 Byte = 8 Bit
90 byte = 720 bit password.

SSL: uses 128 Bit.
Triple DES: overall key length of 192 bits.
AES: min 256 bit.

That should  solve your bruteforce question....

If you explain exactly what kind of biometrics you mean (hardware? software?)
or how you think you can crack it, I can probably give more reasons why it isn't possible that easily.
0
 
skyflash_deCommented:

Yes, he is right of course, biometrics has the same problems that all crypto does.
You need to take the same precautions of course, like signing your stuff.

But biometrics is not really easier to attack by bruteforcing.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
krakatoaAuthor Commented:
I don't think I'd make a case - not yet anyway - for me being abel to come up with a crack for these, but I merely was wondering in principle that these two relatively new and much-vaunted security methods would be subject to and fall foul of the same principles in security flaws as all other digitised encryption systems, which is that the limiting factor could be seen not as their pathological underlying robustness, but in the translation of that robustness into 0s and 1s. I mean that digital information seems inherently unable to hold its secret, and even analog systems, such as DNA, eventually yield to decipherment.

I understand that retinal scans are made up from the blood vessels patterns in the retina, which are meant to be unique, much like fingerprints are. But doesn't this uniqueness have a front door weakness, that if you establish a unique identity within a system, rather than trying to forge or guess an existing one, that you have secured yourself a fairly major hack?
0
 
krakatoaAuthor Commented:
As for SSL encryption, isn't it the case that there must be some time when they run out of primes on which to base the keys, and that therefore this will either mean there will be duplicate signatures around, or the system will end when there are no more unique primes left to find?

What further puzzles me a bit about things like SSL 128 bit, is that a computer (disregarding the the en - and decryption software sid of things for a moment) can only physcially hold files on its disks that contain bytes recognised as being in the character set of the machine (ASCII or Unicode lets say) - and since these are finite and must fall well short of all the combinations that *could* me made from the 128 bits, doesn't this cut down the range of 'permutations' that has to be bruteforced?


0
 
chris_calabreseCommented:
Not exactly a front-door weakness, but more of a side-door weakness.

But yes, your concerns are pretty much right on.

Also, biometrics are not the same as crypto. They more like passwords that you carry around on your finger rather than in your head. That's why you need crypto to secure the network transmissions much the same as with regular passwords.
0
 
chris_calabreseConnect With a Mentor Commented:
> As for SSL encryption, isn't it the case that there must be some time when they run out of
> primes on which to base the keys, and that therefore this will either mean there will be
> duplicate signatures around, or the system will end when there are no more unique
> primes left to find?

The density of primes is roughly the log10 of the length of the largest number you're looking at. So there are on the order of 2^122 primes within the 2^128 space. Since there are only an estimated 2^64 atoms in the universe, there doesn't seem to be any danger of running out of good quality primes.

> What further puzzles me a bit about things like SSL 128 bit, is that a computer (disregarding
> the the en - and decryption software sid of things for a moment) can only physcially hold
> files on its disks that contain bytes recognised as being in the character set of the machine
> (ASCII or Unicode lets say) - and since these are finite and must fall well short of all the
> combinations that *could* me made from the 128 bits, doesn't this cut down the range of
> 'permutations' that has to be bruteforced?

This is simply not so. Computers can hold arbitrary bit patterns on disk.

In practice, crypto keys are often converted into ASCII characters for convenienience.
But then they're simply represented in more bits.  For example, with base-64 encoding, the most popular, each character in the ASCII version represents 6 bits in the original binary, so a 128 bit key would be represented as 22 ASCII characters (vs 16 bytes in the original binary).

Also, you usually don't store just the key itself, but lots of other info about the key such as when it expires, who it was assigned to, a signature from the Certificate Authority, etc., making actual X.509 certificates (the kind used in SSL) several hundred bytes long.
0
 
krakatoaAuthor Commented:
>> ...but more of a side-door weakness ...

:).


No I realise that biometrics are not synonymous with encryption, that is why I home-cooked the part about their underlying 'natural' safety perhaps being more secure than their implementational one. As a layman, I mean by this that once a difficult pattern is translated into binary, it must become more a question of maintaining the security of the algorithm itself rather than any 'secret' inherent or intrinsic security present in the source itself - ?

By extension to this, I am wondering whether the discovery of the algorithm to produce primes, would be as useful in hacking small ones as it would be for large. ;)
0
 
krakatoaAuthor Commented:
I also wanted to just add that it can't be the generation of permutations within the space (2^128) that is the difficult part - can it - since we already 'know' what any specific case will look like - ie s series of 1s and 0s.

How do we know that the mechanics of working with 0 and 1 bit patterns follow the same mind-boggling exponent challenges as decimal arithmetic does? Meaning, ok, calcuating the next big prime might be difficult when working with the exigencies of base 10, but do we know for sure that this cannot be short-circuited by forgetting decimal and looking for patterns in raw binary?
0
 
chris_calabreseCommented:
Their underlying natural safety is not very safe either, at least for fingerprints and facial recognition. A bit better for retena, since it's a lot more difficult to create an eyeball with the right blood vessel patterns than to create a thin latex mask of someone's fingerprint or face.
0
 
chris_calabreseCommented:
krakatoa, I suggest picking up a copy of Bruce Schneier's book Applied Cryptography.
0
 
krakatoaAuthor Commented:
>> I suggest picking up a copy of Bruce Schneier's book Applied Cryptography.  ...

It's a nice suggestion, and indeed I already have a copy from many years ago. I have even read some of it, but I can;t stop myself - for some reason - being more interested in the concepts and profiles of the issues involved, as much if not more than their implementations in practice (I am not asking this question on EE for example, because it is required for my job or what I am doing particularly).

I would be interested though chris_, to learn a bit more from somewhere about any thinking going on of a more experimental nature into underlying pattern algorithms, if you know of any.
0
 
krakatoaAuthor Commented:
:))

I forgot still to say that the main reason I asked this question at all in the first place, was because I was musing over how we humans validate each other, and took a quick ride across these topics, such as they are known to me as a layman. I concluded that the best way of ensuring a person's identity is by them signing a piece of paper in front of your eyes there and then, since, even if the person signing is a good forger, there are fewer forgers around than there are hackers and hackable solutions, since the former relies on art and the latter more brains, which we seem to be able to produce and use more easily. ;) Whereas if you turn up with a forged
PIN number or password or biometric, the overseeing the validation by such means is not judging you by what he can see in front of him, but by humanly unsubstantiatable readings. And whilst a side issue, it also makes me realise that we are inadvertently selectively engineering ourselves by Darwinianly evolving away from reliance on what we see, to what we are told to accept by machines. If evolution theory is true, the day will come when we will be unable to make up our minds about the identity of another person with any degree of certainty, as we will lose the ability through lack of exercise.
0
 
chris_calabreseCommented:
Applied Cryptography has a pretty good write-up on exactly the sort of thing you're talking about.

Some good websites include

http://www.crypto.com/
http://www.rsasecurity.com/rsalabs/node.asp?id=2152
http://online.offshore.com.ai/security/
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html
0
 
skyflash_deCommented:

The most easy way to crack a retinal scan check is probably not to break it mathematically, but to rip out someones eye and make it look alive in some way.

Sorta like securing your machine with a BIOS password doesnt make sense when I can go in and carry it away...
0
 
krakatoaAuthor Commented:
Some great answers, and some great relish too!

thanks,

krak.
0
 
krakatoaAuthor Commented:
>> Sorta like securing your machine with a BIOS password doesnt make sense when I can go in and carry it away...

until you get it home and find you cant use it of course. ;)
0
 
skyflash_deCommented:

But at home I take apart the whole thing and have all the time of the world to copy everything I want to,
and keep hacking and cracking til I own it all. ;)

Unless someone really used PGPDisk or something, which happens in like 0.00001% of the cases,
and if he used it I can still bruteforce it cause another 99% use weak passwords cause they are lazy.
0
All Courses

From novice to tech pro — start learning today.