fingerprint readers

At the risk of being laughed/flamed into oblivion...

I KNOW the documentation with MS Digital Persona fingerprint reader sez
"Don't use for security purposes", BUT if I am using TrueCrypt, and an
adequate strong password, then utilize the fingerprint reader in place
of the typed password, how secure is my TrueCrypt file?

(I can use EITHER the typed in password or use my finger on the reader.)

Thanks for your time...

Richard

Richard <> (07-02-19 17:57:25):

> At the risk of being laughed/flamed into oblivion...
>
> I KNOW the documentation with MS Digital Persona fingerprint reader
> sez "Don't use for security purposes", BUT if I am using TrueCrypt,
> and an adequate strong password, then utilize the fingerprint reader
> in place of the typed password, how secure is my TrueCrypt file?
>
> (I can use EITHER the typed in password or use my finger on the
> reader.)

Less secure than a protection with a password only. The reason is
fairly simple: Now there is not only a single gate to the file, but
two. And how would you implement that? The file is encrypted only
once, so both the password _and_ the fingerprint reveal the key to it.
Where is it and how is it secured in such a case?

BTW, fingerprints aren't hard to reproduce.


Regards,
E.S.

Ertugrul Soeylemez

Richard <> wrote:

> I KNOW the documentation with MS Digital Persona fingerprint reader sez
> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
> adequate strong password, then utilize the fingerprint reader in place
> of the typed password, how secure is my TrueCrypt file?

Far less secure than with just the password. The fingerprint reader is
just a convenience tool that removes the need to type...

Remember, all the fingerprint reader checks is wether something that
looks like your fingerprint is visible to the little camera inside. And
something that looks like your fingerprint can easily be created by
using the sample fingerprints you leave on everything you touch

Juergen Nieveler
--
MCSE: Minesweeper Consultant and Solitaire Expert.

Juergen Nieveler

Juergen Nieveler wrote:
> Richard <> wrote:
>
>> I KNOW the documentation with MS Digital Persona fingerprint reader sez
>> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
>> adequate strong password, then utilize the fingerprint reader in place
>> of the typed password, how secure is my TrueCrypt file?
>
> Far less secure than with just the password. The fingerprint reader is
> just a convenience tool that removes the need to type...
>
> Remember, all the fingerprint reader checks is wether something that
> looks like your fingerprint is visible to the little camera inside. And
> something that looks like your fingerprint can easily be created by
> using the sample fingerprints you leave on everything you touch
>
> Juergen Nieveler

OK, thanks all, but-

I guess my real question is how does whatever the fingerprint reader
generates compare to, say, a "properly constructed" 25 character typed
password? I'm not DOD or hi-tech research, just a working shmuck that
needs to keep an opportunistic, and generally lazy, thief from accessing
key personal or transaction information of mine or my clients.

The potential value of the information to a thief would be either A)
absolutely unknown, or B) reasonably expected to be limited to the value
of personal ID info for unknown number of individuals, or possibly one
or more specific individuals, therefore it would seem attack resources
would be fairly limited.

My thinking is that if a specific file, or (scenario #2) possibly the
entire hard drive is encrypted, AND you need to either utilize internet
accessible cracking software to brute force the 25 character password OR
the string generated by the reader, OR be smart enough and have the
proper equipment and time to find the single fingerprint needed to
match, I have a more than reasonable expectation that the info is,
realistically, not at risk.


What say you?

Richard

Richard <> (07-02-21 21:48:09):

> I guess my real question is how does whatever the fingerprint reader
> generates compare to, say, a "properly constructed" 25 character typed
> password?

Fingerprints don't even provide near the same level of security. Just
as a foretaste: Imagine you put your finger in, and it doesn't open.
Better: Imagine a thief does the same, and it does open. Biometric
systems are just too unpredictable currently.


> My thinking is that if a specific file, or (scenario #2) possibly the
> entire hard drive is encrypted, AND you need to either utilize
> internet accessible cracking software to brute force the 25 character
> password ...

If the password contains enough entropy (i.e. it's randomly chosen and
doesn't have any relation to its owner), a brute-force attack against a
25 character password is totally impractical, even if it contains only
digits, in which case you would in average need about

158440439070.14 = 10^25 / (60^2 * 24 * 365.25 * 10^6) / 2

years to break it, if you can check 1000000 passwords per second.


> OR the string generated by the reader, OR be smart enough and have the
> proper equipment and time to find the single fingerprint needed to
> match, I have a more than reasonable expectation that the info is,
> realistically, not at risk.

You're talking about a string, which is generated from the fingerprint,
and sent to the authenticator to check against a saved value. I thought
about a neural network based scanner, but if it's really that simple,
this scheme cannot be secure.

Consider the following: It has to generate exactly the same value for
the same finger all the time. If it doesn't, authentication fails. So
the granularity of the scanner must be _very_ low. In other words:
There aren't many possible strings. I would expect such a system to
have an entropy equivalent to that of a password with four or five
characters (for real fingers).


Regards,
E.S.

Ertugrul Soeylemez

Richard <> wrote:

> I guess my real question is how does whatever the fingerprint reader
> generates compare to, say, a "properly constructed" 25 character typed
> password?

Actually, it doesn't. Those devices usually keep a list of your 25-
character passwords and unlock this list when presented with something
that generates the same hash value as your fingerprint.

> My thinking is that if a specific file, or (scenario #2) possibly the
> entire hard drive is encrypted, AND you need to either utilize
> internet accessible cracking software to brute force the 25 character
> password OR
> the string generated by the reader, OR be smart enough and have the
> proper equipment and time to find the single fingerprint needed to
> match, I have a more than reasonable expectation that the info is,
> realistically, not at risk.

If the data isn't that important to you and you think you can live with
the lower security provided by the fingerprint reader (which still is
greater than zero, mind you)... however, in that case you could also
use a shorter password.

Juergen Nieveler
--
Man who eat many prunes get good run for money.

Juergen Nieveler

Richard <> writes:

>Juergen Nieveler wrote:
>> Richard <> wrote:
>>
>>> I KNOW the documentation with MS Digital Persona fingerprint reader sez
>>> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
>>> adequate strong password, then utilize the fingerprint reader in place
>>> of the typed password, how secure is my TrueCrypt file?
>>
>> Far less secure than with just the password. The fingerprint reader is
>> just a convenience tool that removes the need to type...
>>
>> Remember, all the fingerprint reader checks is wether something that
>> looks like your fingerprint is visible to the little camera inside. And
>> something that looks like your fingerprint can easily be created by
>> using the sample fingerprints you leave on everything you touch
>>
>> Juergen Nieveler

>OK, thanks all, but-

>I guess my real question is how does whatever the fingerprint reader
>generates compare to, say, a "properly constructed" 25 character typed
>password? I'm not DOD or hi-tech research, just a working shmuck that
>needs to keep an opportunistic, and generally lazy, thief from accessing
> key personal or transaction information of mine or my clients.

VEry very poorly


>The potential value of the information to a thief would be either A)
>absolutely unknown, or B) reasonably expected to be limited to the value
>of personal ID info for unknown number of individuals, or possibly one
>or more specific individuals, therefore it would seem attack resources
>would be fairly limited.

Assume your files will be targeted by the worst enemy that your clients
have.


>My thinking is that if a specific file, or (scenario #2) possibly the
>entire hard drive is encrypted, AND you need to either utilize internet
>accessible cracking software to brute force the 25 character password OR
>the string generated by the reader, OR be smart enough and have the
>proper equipment and time to find the single fingerprint needed to
>match, I have a more than reasonable expectation that the info is,
>realistically, not at risk.

He knows which fingerprint-- yours. He knows when he steals them that your
fingerprints are all over the laptop, the computer and anything else in the
office or home he steals from. That is trivial.




>What say you?

HOw much insurance are you willing to buy to compensate your clients when
their information gets stolen bytheir worst enemy, and you are found at
fault.

Unruh

On Mon, 19 Feb 2007 17:57:25 -1000, Richard
<> wrote:

>At the risk of being laughed/flamed into oblivion...
>
>I KNOW the documentation with MS Digital Persona fingerprint reader sez
>"Don't use for security purposes", BUT if I am using TrueCrypt, and an
>adequate strong password, then utilize the fingerprint reader in place
>of the typed password, how secure is my TrueCrypt file?
>
>(I can use EITHER the typed in password or use my finger on the reader.)
>
>Thanks for your time...
Actually, the main problem with fingerprint readers in my limited
experience is the number of read failures. My laptop has a built in
reader, but I estimate better than 80% of all reads are a failure.
About half of the time, I get locked out of the reader by the intruder
detection routine which means more than four failures in a row.

Ken

Ken <> (07-02-22 22:01:19):

> Actually, the main problem with fingerprint readers in my limited
> experience is the number of read failures. My laptop has a built in
> reader, but I estimate better than 80% of all reads are a failure.
> About half of the time, I get locked out of the reader by the intruder
> detection routine which means more than four failures in a row.

The problem here is that current fingerprint readers (for non-commercial
purposes) are based on image processing. They have a certain
granularity. If it's too fine, then there are too many false positives,
whereas if it's not, then security is reduced drastically.

Real fingerprint readers are based on neural networks. They are
expensive, and you need to train it for a while with positives _and_
negatives, until it recognizes your fingerprint and only your
fingerprint. They have the advantage that they are very secure and
produce almost no false positives. But as said, they are expensive and
a lot more difficult to use.


Regards,
E.S.

Ertugrul Soeylemez

On 20 Feb 2007 09:42:05 GMT, Juergen Nieveler
<> wrote:

>Richard <> wrote:
>
>> I KNOW the documentation with MS Digital Persona fingerprint reader sez
>> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
>> adequate strong password, then utilize the fingerprint reader in place
>> of the typed password, how secure is my TrueCrypt file?
>
>Far less secure than with just the password. The fingerprint reader is
>just a convenience tool that removes the need to type...
>
>Remember, all the fingerprint reader checks is wether something that
>looks like your fingerprint is visible to the little camera inside. And
>something that looks like your fingerprint can easily be created by
>using the sample fingerprints you leave on everything you touch
>
>Juergen Nieveler

I suppose the only real use for it is for some humorous operating
system to send the fingerprint up the line to the FBI for the usual
control freak tax wasting program that doesn't really work all that
well. You could see where there's some potential if it caught on
though. Just not for you particularly.

spocko