Solved

Biometrics security.

Posted on 2004-08-03
18
506 Views
Last Modified: 2012-05-05
As I understand it, a fingerprint scan file will take up only around 500 bytes, and a retinal scan only 90 or so. This being the case is it not relatively easy to iterate all the possible byre combinations (for the retinal scan at least), in order to break the security?

0
Comment
Question by:krakatoa
  • 8
  • 6
  • 4
18 Comments
 
LVL 1

Assisted Solution

by:skyflash_de
skyflash_de earned 80 total points
ID: 11704539

Eh... no.
You will still have to deal with all the delays that the mechanism accepting your input will induce.

You cannot just bruteforce it.

Also, 90 BYTES is not a short password, even if you CAN directly bruteforce it.

1 Byte = 8 Bit
90 byte = 720 bit password.

SSL: uses 128 Bit.
Triple DES: overall key length of 192 bits.
AES: min 256 bit.

That should  solve your bruteforce question....

If you explain exactly what kind of biometrics you mean (hardware? software?)
or how you think you can crack it, I can probably give more reasons why it isn't possible that easily.
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 120 total points
ID: 11704640
That doesn't mean there aren't problems with biometrics.
1) All fingerprint scanners currently on the market are susceptable to spoofing using a very thin latex fingerprint mold placed over a real finger
2) Many biometric implementations send the biometric hash (the 500 byte or 90 byte part) over the network in the clear without any protections against replay, just like a clear-text password.

The ways to deal with these issues are
1) Don't use pure fingerprint, but fingerprint + PIN
2) Make sure your biometric software encrypts _and_signs_ all biometric data as its transported on the network
0
 
LVL 1

Expert Comment

by:skyflash_de
ID: 11704771

Yes, he is right of course, biometrics has the same problems that all crypto does.
You need to take the same precautions of course, like signing your stuff.

But biometrics is not really easier to attack by bruteforcing.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11707055
I don't think I'd make a case - not yet anyway - for me being abel to come up with a crack for these, but I merely was wondering in principle that these two relatively new and much-vaunted security methods would be subject to and fall foul of the same principles in security flaws as all other digitised encryption systems, which is that the limiting factor could be seen not as their pathological underlying robustness, but in the translation of that robustness into 0s and 1s. I mean that digital information seems inherently unable to hold its secret, and even analog systems, such as DNA, eventually yield to decipherment.

I understand that retinal scans are made up from the blood vessels patterns in the retina, which are meant to be unique, much like fingerprints are. But doesn't this uniqueness have a front door weakness, that if you establish a unique identity within a system, rather than trying to forge or guess an existing one, that you have secured yourself a fairly major hack?
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11707213
As for SSL encryption, isn't it the case that there must be some time when they run out of primes on which to base the keys, and that therefore this will either mean there will be duplicate signatures around, or the system will end when there are no more unique primes left to find?

What further puzzles me a bit about things like SSL 128 bit, is that a computer (disregarding the the en - and decryption software sid of things for a moment) can only physcially hold files on its disks that contain bytes recognised as being in the character set of the machine (ASCII or Unicode lets say) - and since these are finite and must fall well short of all the combinations that *could* me made from the 128 bits, doesn't this cut down the range of 'permutations' that has to be bruteforced?


0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 11707229
Not exactly a front-door weakness, but more of a side-door weakness.

But yes, your concerns are pretty much right on.

Also, biometrics are not the same as crypto. They more like passwords that you carry around on your finger rather than in your head. That's why you need crypto to secure the network transmissions much the same as with regular passwords.
0
 
LVL 14

Assisted Solution

by:chris_calabrese
chris_calabrese earned 120 total points
ID: 11707364
> As for SSL encryption, isn't it the case that there must be some time when they run out of
> primes on which to base the keys, and that therefore this will either mean there will be
> duplicate signatures around, or the system will end when there are no more unique
> primes left to find?

The density of primes is roughly the log10 of the length of the largest number you're looking at. So there are on the order of 2^122 primes within the 2^128 space. Since there are only an estimated 2^64 atoms in the universe, there doesn't seem to be any danger of running out of good quality primes.

> What further puzzles me a bit about things like SSL 128 bit, is that a computer (disregarding
> the the en - and decryption software sid of things for a moment) can only physcially hold
> files on its disks that contain bytes recognised as being in the character set of the machine
> (ASCII or Unicode lets say) - and since these are finite and must fall well short of all the
> combinations that *could* me made from the 128 bits, doesn't this cut down the range of
> 'permutations' that has to be bruteforced?

This is simply not so. Computers can hold arbitrary bit patterns on disk.

In practice, crypto keys are often converted into ASCII characters for convenienience.
But then they're simply represented in more bits.  For example, with base-64 encoding, the most popular, each character in the ASCII version represents 6 bits in the original binary, so a 128 bit key would be represented as 22 ASCII characters (vs 16 bytes in the original binary).

Also, you usually don't store just the key itself, but lots of other info about the key such as when it expires, who it was assigned to, a signature from the Certificate Authority, etc., making actual X.509 certificates (the kind used in SSL) several hundred bytes long.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11707568
>> ...but more of a side-door weakness ...

:).


No I realise that biometrics are not synonymous with encryption, that is why I home-cooked the part about their underlying 'natural' safety perhaps being more secure than their implementational one. As a layman, I mean by this that once a difficult pattern is translated into binary, it must become more a question of maintaining the security of the algorithm itself rather than any 'secret' inherent or intrinsic security present in the source itself - ?

By extension to this, I am wondering whether the discovery of the algorithm to produce primes, would be as useful in hacking small ones as it would be for large. ;)
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11707685
I also wanted to just add that it can't be the generation of permutations within the space (2^128) that is the difficult part - can it - since we already 'know' what any specific case will look like - ie s series of 1s and 0s.

How do we know that the mechanics of working with 0 and 1 bit patterns follow the same mind-boggling exponent challenges as decimal arithmetic does? Meaning, ok, calcuating the next big prime might be difficult when working with the exigencies of base 10, but do we know for sure that this cannot be short-circuited by forgetting decimal and looking for patterns in raw binary?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 11707711
Their underlying natural safety is not very safe either, at least for fingerprints and facial recognition. A bit better for retena, since it's a lot more difficult to create an eyeball with the right blood vessel patterns than to create a thin latex mask of someone's fingerprint or face.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 11707727
krakatoa, I suggest picking up a copy of Bruce Schneier's book Applied Cryptography.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11707997
>> I suggest picking up a copy of Bruce Schneier's book Applied Cryptography.  ...

It's a nice suggestion, and indeed I already have a copy from many years ago. I have even read some of it, but I can;t stop myself - for some reason - being more interested in the concepts and profiles of the issues involved, as much if not more than their implementations in practice (I am not asking this question on EE for example, because it is required for my job or what I am doing particularly).

I would be interested though chris_, to learn a bit more from somewhere about any thinking going on of a more experimental nature into underlying pattern algorithms, if you know of any.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11708117
:))

I forgot still to say that the main reason I asked this question at all in the first place, was because I was musing over how we humans validate each other, and took a quick ride across these topics, such as they are known to me as a layman. I concluded that the best way of ensuring a person's identity is by them signing a piece of paper in front of your eyes there and then, since, even if the person signing is a good forger, there are fewer forgers around than there are hackers and hackable solutions, since the former relies on art and the latter more brains, which we seem to be able to produce and use more easily. ;) Whereas if you turn up with a forged
PIN number or password or biometric, the overseeing the validation by such means is not judging you by what he can see in front of him, but by humanly unsubstantiatable readings. And whilst a side issue, it also makes me realise that we are inadvertently selectively engineering ourselves by Darwinianly evolving away from reliance on what we see, to what we are told to accept by machines. If evolution theory is true, the day will come when we will be unable to make up our minds about the identity of another person with any degree of certainty, as we will lose the ability through lack of exercise.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 11708139
Applied Cryptography has a pretty good write-up on exactly the sort of thing you're talking about.

Some good websites include

http://www.crypto.com/
http://www.rsasecurity.com/rsalabs/node.asp?id=2152
http://online.offshore.com.ai/security/
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html
0
 
LVL 1

Expert Comment

by:skyflash_de
ID: 11709600

The most easy way to crack a retinal scan check is probably not to break it mathematically, but to rip out someones eye and make it look alive in some way.

Sorta like securing your machine with a BIOS password doesnt make sense when I can go in and carry it away...
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11710244
Some great answers, and some great relish too!

thanks,

krak.
0
 
LVL 16

Author Comment

by:krakatoa
ID: 11713511
>> Sorta like securing your machine with a BIOS password doesnt make sense when I can go in and carry it away...

until you get it home and find you cant use it of course. ;)
0
 
LVL 1

Expert Comment

by:skyflash_de
ID: 11713648

But at home I take apart the whole thing and have all the time of the world to copy everything I want to,
and keep hacking and cracking til I own it all. ;)

Unless someone really used PGPDisk or something, which happens in like 0.00001% of the cases,
and if he used it I can still bruteforce it cause another 99% use weak passwords cause they are lazy.
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adups vulnerability 5 92
yahoo hack question 3 46
.vbs Script Not Running on Windows 10 3 66
SharePoint Online Security 5 45
Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now