Biometrics security.
As I understand it, a fingerprint scan file will take up only around 500 bytes, and a retinal scan only 90 or so. This being the case is it not relatively easy to iterate all the possible byre combinations (for the retinal scan at least), in order to break the security?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't think I'd make a case - not yet anyway - for me being abel to come up with a crack for these, but I merely was wondering in principle that these two relatively new and much-vaunted security methods would be subject to and fall foul of the same principles in security flaws as all other digitised encryption systems, which is that the limiting factor could be seen not as their pathological underlying robustness, but in the translation of that robustness into 0s and 1s. I mean that digital information seems inherently unable to hold its secret, and even analog systems, such as DNA, eventually yield to decipherment.
I understand that retinal scans are made up from the blood vessels patterns in the retina, which are meant to be unique, much like fingerprints are. But doesn't this uniqueness have a front door weakness, that if you establish a unique identity within a system, rather than trying to forge or guess an existing one, that you have secured yourself a fairly major hack?
I understand that retinal scans are made up from the blood vessels patterns in the retina, which are meant to be unique, much like fingerprints are. But doesn't this uniqueness have a front door weakness, that if you establish a unique identity within a system, rather than trying to forge or guess an existing one, that you have secured yourself a fairly major hack?
ASKER
As for SSL encryption, isn't it the case that there must be some time when they run out of primes on which to base the keys, and that therefore this will either mean there will be duplicate signatures around, or the system will end when there are no more unique primes left to find?
What further puzzles me a bit about things like SSL 128 bit, is that a computer (disregarding the the en - and decryption software sid of things for a moment) can only physcially hold files on its disks that contain bytes recognised as being in the character set of the machine (ASCII or Unicode lets say) - and since these are finite and must fall well short of all the combinations that *could* me made from the 128 bits, doesn't this cut down the range of 'permutations' that has to be bruteforced?
What further puzzles me a bit about things like SSL 128 bit, is that a computer (disregarding the the en - and decryption software sid of things for a moment) can only physcially hold files on its disks that contain bytes recognised as being in the character set of the machine (ASCII or Unicode lets say) - and since these are finite and must fall well short of all the combinations that *could* me made from the 128 bits, doesn't this cut down the range of 'permutations' that has to be bruteforced?
Not exactly a front-door weakness, but more of a side-door weakness.
But yes, your concerns are pretty much right on.
Also, biometrics are not the same as crypto. They more like passwords that you carry around on your finger rather than in your head. That's why you need crypto to secure the network transmissions much the same as with regular passwords.
But yes, your concerns are pretty much right on.
Also, biometrics are not the same as crypto. They more like passwords that you carry around on your finger rather than in your head. That's why you need crypto to secure the network transmissions much the same as with regular passwords.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>> ...but more of a side-door weakness ...
:).
No I realise that biometrics are not synonymous with encryption, that is why I home-cooked the part about their underlying 'natural' safety perhaps being more secure than their implementational one. As a layman, I mean by this that once a difficult pattern is translated into binary, it must become more a question of maintaining the security of the algorithm itself rather than any 'secret' inherent or intrinsic security present in the source itself - ?
By extension to this, I am wondering whether the discovery of the algorithm to produce primes, would be as useful in hacking small ones as it would be for large. ;)
:).
No I realise that biometrics are not synonymous with encryption, that is why I home-cooked the part about their underlying 'natural' safety perhaps being more secure than their implementational one. As a layman, I mean by this that once a difficult pattern is translated into binary, it must become more a question of maintaining the security of the algorithm itself rather than any 'secret' inherent or intrinsic security present in the source itself - ?
By extension to this, I am wondering whether the discovery of the algorithm to produce primes, would be as useful in hacking small ones as it would be for large. ;)
ASKER
I also wanted to just add that it can't be the generation of permutations within the space (2^128) that is the difficult part - can it - since we already 'know' what any specific case will look like - ie s series of 1s and 0s.
How do we know that the mechanics of working with 0 and 1 bit patterns follow the same mind-boggling exponent challenges as decimal arithmetic does? Meaning, ok, calcuating the next big prime might be difficult when working with the exigencies of base 10, but do we know for sure that this cannot be short-circuited by forgetting decimal and looking for patterns in raw binary?
How do we know that the mechanics of working with 0 and 1 bit patterns follow the same mind-boggling exponent challenges as decimal arithmetic does? Meaning, ok, calcuating the next big prime might be difficult when working with the exigencies of base 10, but do we know for sure that this cannot be short-circuited by forgetting decimal and looking for patterns in raw binary?
Their underlying natural safety is not very safe either, at least for fingerprints and facial recognition. A bit better for retena, since it's a lot more difficult to create an eyeball with the right blood vessel patterns than to create a thin latex mask of someone's fingerprint or face.
krakatoa, I suggest picking up a copy of Bruce Schneier's book Applied Cryptography.
ASKER
>> I suggest picking up a copy of Bruce Schneier's book Applied Cryptography. ...
It's a nice suggestion, and indeed I already have a copy from many years ago. I have even read some of it, but I can;t stop myself - for some reason - being more interested in the concepts and profiles of the issues involved, as much if not more than their implementations in practice (I am not asking this question on EE for example, because it is required for my job or what I am doing particularly).
I would be interested though chris_, to learn a bit more from somewhere about any thinking going on of a more experimental nature into underlying pattern algorithms, if you know of any.
It's a nice suggestion, and indeed I already have a copy from many years ago. I have even read some of it, but I can;t stop myself - for some reason - being more interested in the concepts and profiles of the issues involved, as much if not more than their implementations in practice (I am not asking this question on EE for example, because it is required for my job or what I am doing particularly).
I would be interested though chris_, to learn a bit more from somewhere about any thinking going on of a more experimental nature into underlying pattern algorithms, if you know of any.
ASKER
:))
I forgot still to say that the main reason I asked this question at all in the first place, was because I was musing over how we humans validate each other, and took a quick ride across these topics, such as they are known to me as a layman. I concluded that the best way of ensuring a person's identity is by them signing a piece of paper in front of your eyes there and then, since, even if the person signing is a good forger, there are fewer forgers around than there are hackers and hackable solutions, since the former relies on art and the latter more brains, which we seem to be able to produce and use more easily. ;) Whereas if you turn up with a forged
PIN number or password or biometric, the overseeing the validation by such means is not judging you by what he can see in front of him, but by humanly unsubstantiatable readings. And whilst a side issue, it also makes me realise that we are inadvertently selectively engineering ourselves by Darwinianly evolving away from reliance on what we see, to what we are told to accept by machines. If evolution theory is true, the day will come when we will be unable to make up our minds about the identity of another person with any degree of certainty, as we will lose the ability through lack of exercise.
I forgot still to say that the main reason I asked this question at all in the first place, was because I was musing over how we humans validate each other, and took a quick ride across these topics, such as they are known to me as a layman. I concluded that the best way of ensuring a person's identity is by them signing a piece of paper in front of your eyes there and then, since, even if the person signing is a good forger, there are fewer forgers around than there are hackers and hackable solutions, since the former relies on art and the latter more brains, which we seem to be able to produce and use more easily. ;) Whereas if you turn up with a forged
PIN number or password or biometric, the overseeing the validation by such means is not judging you by what he can see in front of him, but by humanly unsubstantiatable readings. And whilst a side issue, it also makes me realise that we are inadvertently selectively engineering ourselves by Darwinianly evolving away from reliance on what we see, to what we are told to accept by machines. If evolution theory is true, the day will come when we will be unable to make up our minds about the identity of another person with any degree of certainty, as we will lose the ability through lack of exercise.
Applied Cryptography has a pretty good write-up on exactly the sort of thing you're talking about.
Some good websites include
http://www.crypto.com/
http://www.rsasecurity.com/rsalabs/node.asp?id=2152
http://online.offshore.com.ai/security/
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html
Some good websites include
http://www.crypto.com/
http://www.rsasecurity.com/rsalabs/node.asp?id=2152
http://online.offshore.com.ai/security/
ftp://ftp.csua.berkeley.edu/pub/cypherpunks/Home.html
The most easy way to crack a retinal scan check is probably not to break it mathematically, but to rip out someones eye and make it look alive in some way.
Sorta like securing your machine with a BIOS password doesnt make sense when I can go in and carry it away...
ASKER
Some great answers, and some great relish too!
thanks,
krak.
thanks,
krak.
ASKER
>> Sorta like securing your machine with a BIOS password doesnt make sense when I can go in and carry it away...
until you get it home and find you cant use it of course. ;)
until you get it home and find you cant use it of course. ;)
But at home I take apart the whole thing and have all the time of the world to copy everything I want to,
and keep hacking and cracking til I own it all. ;)
Unless someone really used PGPDisk or something, which happens in like 0.00001% of the cases,
and if he used it I can still bruteforce it cause another 99% use weak passwords cause they are lazy.
Yes, he is right of course, biometrics has the same problems that all crypto does.
You need to take the same precautions of course, like signing your stuff.
But biometrics is not really easier to attack by bruteforcing.