Solved

Biometrics security.

Posted on 2004-08-03
18
505 Views
Last Modified: 2012-05-05
As I understand it, a fingerprint scan file will take up only around 500 bytes, and a retinal scan only 90 or so. This being the case is it not relatively easy to iterate all the possible byre combinations (for the retinal scan at least), in order to break the security?

0
Comment
Question by:krakatoa
  • 8
  • 6
  • 4
18 Comments
 
LVL 1

Assisted Solution

by:skyflash_de
skyflash_de earned 80 total points
Comment Utility

Eh... no.
You will still have to deal with all the delays that the mechanism accepting your input will induce.

You cannot just bruteforce it.

Also, 90 BYTES is not a short password, even if you CAN directly bruteforce it.

1 Byte = 8 Bit
90 byte = 720 bit password.

SSL: uses 128 Bit.
Triple DES: overall key length of 192 bits.
AES: min 256 bit.

That should  solve your bruteforce question....

If you explain exactly what kind of biometrics you mean (hardware? software?)
or how you think you can crack it, I can probably give more reasons why it isn't possible that easily.
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 120 total points
Comment Utility
That doesn't mean there aren't problems with biometrics.
1) All fingerprint scanners currently on the market are susceptable to spoofing using a very thin latex fingerprint mold placed over a real finger
2) Many biometric implementations send the biometric hash (the 500 byte or 90 byte part) over the network in the clear without any protections against replay, just like a clear-text password.

The ways to deal with these issues are
1) Don't use pure fingerprint, but fingerprint + PIN
2) Make sure your biometric software encrypts _and_signs_ all biometric data as its transported on the network
0
 
LVL 1

Expert Comment

by:skyflash_de
Comment Utility

Yes, he is right of course, biometrics has the same problems that all crypto does.
You need to take the same precautions of course, like signing your stuff.

But biometrics is not really easier to attack by bruteforcing.
0
 
LVL 16

Author Comment

by:krakatoa
Comment Utility
I don't think I'd make a case - not yet anyway - for me being abel to come up with a crack for these, but I merely was wondering in principle that these two relatively new and much-vaunted security methods would be subject to and fall foul of the same principles in security flaws as all other digitised encryption systems, which is that the limiting factor could be seen not as their pathological underlying robustness, but in the translation of that robustness into 0s and 1s. I mean that digital information seems inherently unable to hold its secret, and even analog systems, such as DNA, eventually yield to decipherment.

I understand that retinal scans are made up from the blood vessels patterns in the retina, which are meant to be unique, much like fingerprints are. But doesn't this uniqueness have a front door weakness, that if you establish a unique identity within a system, rather than trying to forge or guess an existing one, that you have secured yourself a fairly major hack?
0
 
LVL 16

Author Comment

by:krakatoa
Comment Utility
As for SSL encryption, isn't it the case that there must be some time when they run out of primes on which to base the keys, and that therefore this will either mean there will be duplicate signatures around, or the system will end when there are no more unique primes left to find?

What further puzzles me a bit about things like SSL 128 bit, is that a computer (disregarding the the en - and decryption software sid of things for a moment) can only physcially hold files on its disks that contain bytes recognised as being in the character set of the machine (ASCII or Unicode lets say) - and since these are finite and must fall well short of all the combinations that *could* me made from the 128 bits, doesn't this cut down the range of 'permutations' that has to be bruteforced?


0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Not exactly a front-door weakness, but more of a side-door weakness.

But yes, your concerns are pretty much right on.

Also, biometrics are not the same as crypto. They more like passwords that you carry around on your finger rather than in your head. That's why you need crypto to secure the network transmissions much the same as with regular passwords.
0
 
LVL 14

Assisted Solution

by:chris_calabrese
chris_calabrese earned 120 total points
Comment Utility
> As for SSL encryption, isn't it the case that there must be some time when they run out of
> primes on which to base the keys, and that therefore this will either mean there will be
> duplicate signatures around, or the system will end when there are no more unique
> primes left to find?

The density of primes is roughly the log10 of the length of the largest number you're looking at. So there are on the order of 2^122 primes within the 2^128 space. Since there are only an estimated 2^64 atoms in the universe, there doesn't seem to be any danger of running out of good quality primes.

> What further puzzles me a bit about things like SSL 128 bit, is that a computer (disregarding
> the the en - and decryption software sid of things for a moment) can only physcially hold
> files on its disks that contain bytes recognised as being in the character set of the machine
> (ASCII or Unicode lets say) - and since these are finite and must fall well short of all the
> combinations that *could* me made from the 128 bits, doesn't this cut down the range of
> 'permutations' that has to be bruteforced?

This is simply not so. Computers can hold arbitrary bit patterns on disk.

In practice, crypto keys are often converted into ASCII characters for convenienience.
But then they're simply represented in more bits.  For example, with base-64 encoding, the most popular, each character in the ASCII version represents 6 bits in the original binary, so a 128 bit key would be represented as 22 ASCII characters (vs 16 bytes in the original binary).

Also, you usually don't store just the key itself, but lots of other info about the key such as when it expires, who it was assigned to, a signature from the Certificate Authority, etc., making actual X.509 certificates (the kind used in SSL) several hundred bytes long.
0
 
LVL 16

Author Comment

by:krakatoa
Comment Utility
>> ...but more of a side-door weakness ...

:).


No I realise that biometrics are not synonymous with encryption, that is why I home-cooked the part about their underlying 'natural' safety perhaps being more secure than their implementational one. As a layman, I mean by this that once a difficult pattern is translated into binary, it must become more a question of maintaining the security of the algorithm itself rather than any 'secret' inherent or intrinsic security present in the source itself - ?

By extension to this, I am wondering whether the discovery of the algorithm to produce primes, would be as useful in hacking small ones as it would be for large. ;)
0
 
LVL 16

Author Comment

by:krakatoa
Comment Utility
I also wanted to just add that it can't be the generation of permutations within the space (2^128) that is the difficult part - can it - since we already 'know' what any specific case will look like - ie s series of 1s and 0s.

How do we know that the mechanics of working with 0 and 1 bit patterns follow the same mind-boggling exponent challenges as decimal arithmetic does? Meaning, ok, calcuating the next big prime might be difficult when working with the exigencies of base 10, but do we know for sure that this cannot be short-circuited by forgetting decimal and looking for patterns in raw binary?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Their underlying natural safety is not very safe either, at least for fingerprints and facial recognition. A bit better for retena, since it's a lot more difficult to create an eyeball with the right blood vessel patterns than to create a thin latex mask of someone's fingerprint or face.
0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
krakatoa, I suggest picking up a copy of Bruce Schneier's book Applied Cryptography.
0
 
LVL 16

Author Comment

by:krakatoa
Comment Utility
>> I suggest picking up a copy of Bruce Schneier's book Applied Cryptography.  ...

It's a nice suggestion, and indeed I already have a copy from many years ago. I have even read some of it, but I can;t stop myself - for some reason - being more interested in the concepts and profiles of the issues involved, as much if not more than their implementations in practice (I am not asking this question on EE for example, because it is required for my job or what I am doing particularly).

I would be interested though chris_, to learn a bit more from somewhere about any thinking going on of a more experimental nature into underlying pattern algorithms, if you know of any.
0
 
LVL 16

Author Comment

by:krakatoa
Comment Utility
:))

I forgot still to say that the main reason I asked this question at all in the first place, was because I was musing over how we humans validate each other, and took a quick ride across these topics, such as they are known to me as a layman. I concluded that the best way of ensuring a person's identity is by them signing a piece of paper in front of your eyes there and then, since, even if the person signing is a good forger, there are fewer forgers around than there are hackers and hackable solutions, since the former relies on art and the latter more brains, which we seem to be able to produce and use more easily. ;) Whereas if you turn up with a forged
PIN number or password or biometric, the overseeing the validation by such means is not judging you by what he can see in front of him, but by humanly unsubstantiatable readings. And whilst a side issue, it also makes me realise that we are inadvertently selectively engineering ourselves by Darwinianly evolving away from reliance on what we see, to what we are told to accept by machines. If evolution theory is true, the day will come when we will be unable to make up our minds about the identity of another person with any degree of certainty, as we will lose the ability through lack of exercise.
0
 
LVL 14

Expert Comment

by:chris_calabrese
Comment Utility
Applied Cryptography has a pretty good write-up on exactly the sort of thing you're talking about.

Some good websites include

http://www.crypto.com/
http://www.rsasecurity.com/rsalabs/node.asp?id=2152
http://online.offshore.com.ai/security/
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html
0
 
LVL 1

Expert Comment

by:skyflash_de
Comment Utility

The most easy way to crack a retinal scan check is probably not to break it mathematically, but to rip out someones eye and make it look alive in some way.

Sorta like securing your machine with a BIOS password doesnt make sense when I can go in and carry it away...
0
 
LVL 16

Author Comment

by:krakatoa
Comment Utility
Some great answers, and some great relish too!

thanks,

krak.
0
 
LVL 16

Author Comment

by:krakatoa
Comment Utility
>> Sorta like securing your machine with a BIOS password doesnt make sense when I can go in and carry it away...

until you get it home and find you cant use it of course. ;)
0
 
LVL 1

Expert Comment

by:skyflash_de
Comment Utility

But at home I take apart the whole thing and have all the time of the world to copy everything I want to,
and keep hacking and cracking til I own it all. ;)

Unless someone really used PGPDisk or something, which happens in like 0.00001% of the cases,
and if he used it I can still bruteforce it cause another 99% use weak passwords cause they are lazy.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now