fingerprint readers

Discussion in 'Computer Security' started by Richard, Feb 20, 2007.

  1. Richard

    Richard Guest

    At the risk of being laughed/flamed into oblivion...

    I KNOW the documentation with MS Digital Persona fingerprint reader sez
    "Don't use for security purposes", BUT if I am using TrueCrypt, and an
    adequate strong password, then utilize the fingerprint reader in place
    of the typed password, how secure is my TrueCrypt file?

    (I can use EITHER the typed in password or use my finger on the reader.)

    Thanks for your time...
    Richard, Feb 20, 2007
    #1
    1. Advertising

  2. Richard <> (07-02-19 17:57:25):

    > At the risk of being laughed/flamed into oblivion...
    >
    > I KNOW the documentation with MS Digital Persona fingerprint reader
    > sez "Don't use for security purposes", BUT if I am using TrueCrypt,
    > and an adequate strong password, then utilize the fingerprint reader
    > in place of the typed password, how secure is my TrueCrypt file?
    >
    > (I can use EITHER the typed in password or use my finger on the
    > reader.)


    Less secure than a protection with a password only. The reason is
    fairly simple: Now there is not only a single gate to the file, but
    two. And how would you implement that? The file is encrypted only
    once, so both the password _and_ the fingerprint reveal the key to it.
    Where is it and how is it secured in such a case?

    BTW, fingerprints aren't hard to reproduce.


    Regards,
    E.S.
    Ertugrul Soeylemez, Feb 20, 2007
    #2
    1. Advertising

  3. Richard <> wrote:

    > I KNOW the documentation with MS Digital Persona fingerprint reader sez
    > "Don't use for security purposes", BUT if I am using TrueCrypt, and an
    > adequate strong password, then utilize the fingerprint reader in place
    > of the typed password, how secure is my TrueCrypt file?


    Far less secure than with just the password. The fingerprint reader is
    just a convenience tool that removes the need to type...

    Remember, all the fingerprint reader checks is wether something that
    looks like your fingerprint is visible to the little camera inside. And
    something that looks like your fingerprint can easily be created by
    using the sample fingerprints you leave on everything you touch :)

    Juergen Nieveler
    --
    MCSE: Minesweeper Consultant and Solitaire Expert.
    Juergen Nieveler, Feb 20, 2007
    #3
  4. Richard

    Richard Guest

    Juergen Nieveler wrote:
    > Richard <> wrote:
    >
    >> I KNOW the documentation with MS Digital Persona fingerprint reader sez
    >> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
    >> adequate strong password, then utilize the fingerprint reader in place
    >> of the typed password, how secure is my TrueCrypt file?

    >
    > Far less secure than with just the password. The fingerprint reader is
    > just a convenience tool that removes the need to type...
    >
    > Remember, all the fingerprint reader checks is wether something that
    > looks like your fingerprint is visible to the little camera inside. And
    > something that looks like your fingerprint can easily be created by
    > using the sample fingerprints you leave on everything you touch :)
    >
    > Juergen Nieveler


    OK, thanks all, but-

    I guess my real question is how does whatever the fingerprint reader
    generates compare to, say, a "properly constructed" 25 character typed
    password? I'm not DOD or hi-tech research, just a working shmuck that
    needs to keep an opportunistic, and generally lazy, thief from accessing
    key personal or transaction information of mine or my clients.

    The potential value of the information to a thief would be either A)
    absolutely unknown, or B) reasonably expected to be limited to the value
    of personal ID info for unknown number of individuals, or possibly one
    or more specific individuals, therefore it would seem attack resources
    would be fairly limited.

    My thinking is that if a specific file, or (scenario #2) possibly the
    entire hard drive is encrypted, AND you need to either utilize internet
    accessible cracking software to brute force the 25 character password OR
    the string generated by the reader, OR be smart enough and have the
    proper equipment and time to find the single fingerprint needed to
    match, I have a more than reasonable expectation that the info is,
    realistically, not at risk.


    What say you?
    Richard, Feb 22, 2007
    #4
  5. Richard <> (07-02-21 21:48:09):

    > I guess my real question is how does whatever the fingerprint reader
    > generates compare to, say, a "properly constructed" 25 character typed
    > password?


    Fingerprints don't even provide near the same level of security. Just
    as a foretaste: Imagine you put your finger in, and it doesn't open.
    Better: Imagine a thief does the same, and it does open. Biometric
    systems are just too unpredictable currently.


    > My thinking is that if a specific file, or (scenario #2) possibly the
    > entire hard drive is encrypted, AND you need to either utilize
    > internet accessible cracking software to brute force the 25 character
    > password ...


    If the password contains enough entropy (i.e. it's randomly chosen and
    doesn't have any relation to its owner), a brute-force attack against a
    25 character password is totally impractical, even if it contains only
    digits, in which case you would in average need about

    158440439070.14 = 10^25 / (60^2 * 24 * 365.25 * 10^6) / 2

    years to break it, if you can check 1000000 passwords per second.


    > OR the string generated by the reader, OR be smart enough and have the
    > proper equipment and time to find the single fingerprint needed to
    > match, I have a more than reasonable expectation that the info is,
    > realistically, not at risk.


    You're talking about a string, which is generated from the fingerprint,
    and sent to the authenticator to check against a saved value. I thought
    about a neural network based scanner, but if it's really that simple,
    this scheme cannot be secure.

    Consider the following: It has to generate exactly the same value for
    the same finger all the time. If it doesn't, authentication fails. So
    the granularity of the scanner must be _very_ low. In other words:
    There aren't many possible strings. I would expect such a system to
    have an entropy equivalent to that of a password with four or five
    characters (for real fingers).


    Regards,
    E.S.
    Ertugrul Soeylemez, Feb 22, 2007
    #5
  6. Richard <> wrote:

    > I guess my real question is how does whatever the fingerprint reader
    > generates compare to, say, a "properly constructed" 25 character typed
    > password?


    Actually, it doesn't. Those devices usually keep a list of your 25-
    character passwords and unlock this list when presented with something
    that generates the same hash value as your fingerprint.

    > My thinking is that if a specific file, or (scenario #2) possibly the
    > entire hard drive is encrypted, AND you need to either utilize
    > internet accessible cracking software to brute force the 25 character
    > password OR
    > the string generated by the reader, OR be smart enough and have the
    > proper equipment and time to find the single fingerprint needed to
    > match, I have a more than reasonable expectation that the info is,
    > realistically, not at risk.


    If the data isn't that important to you and you think you can live with
    the lower security provided by the fingerprint reader (which still is
    greater than zero, mind you)... however, in that case you could also
    use a shorter password.

    Juergen Nieveler
    --
    Man who eat many prunes get good run for money.
    Juergen Nieveler, Feb 22, 2007
    #6
  7. Richard

    Unruh Guest

    Richard <> writes:

    >Juergen Nieveler wrote:
    >> Richard <> wrote:
    >>
    >>> I KNOW the documentation with MS Digital Persona fingerprint reader sez
    >>> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
    >>> adequate strong password, then utilize the fingerprint reader in place
    >>> of the typed password, how secure is my TrueCrypt file?

    >>
    >> Far less secure than with just the password. The fingerprint reader is
    >> just a convenience tool that removes the need to type...
    >>
    >> Remember, all the fingerprint reader checks is wether something that
    >> looks like your fingerprint is visible to the little camera inside. And
    >> something that looks like your fingerprint can easily be created by
    >> using the sample fingerprints you leave on everything you touch :)
    >>
    >> Juergen Nieveler


    >OK, thanks all, but-


    >I guess my real question is how does whatever the fingerprint reader
    >generates compare to, say, a "properly constructed" 25 character typed
    >password? I'm not DOD or hi-tech research, just a working shmuck that
    >needs to keep an opportunistic, and generally lazy, thief from accessing
    > key personal or transaction information of mine or my clients.


    VEry very poorly


    >The potential value of the information to a thief would be either A)
    >absolutely unknown, or B) reasonably expected to be limited to the value
    >of personal ID info for unknown number of individuals, or possibly one
    >or more specific individuals, therefore it would seem attack resources
    >would be fairly limited.


    Assume your files will be targeted by the worst enemy that your clients
    have.


    >My thinking is that if a specific file, or (scenario #2) possibly the
    >entire hard drive is encrypted, AND you need to either utilize internet
    >accessible cracking software to brute force the 25 character password OR
    >the string generated by the reader, OR be smart enough and have the
    >proper equipment and time to find the single fingerprint needed to
    >match, I have a more than reasonable expectation that the info is,
    >realistically, not at risk.


    He knows which fingerprint-- yours. He knows when he steals them that your
    fingerprints are all over the laptop, the computer and anything else in the
    office or home he steals from. That is trivial.




    >What say you?


    HOw much insurance are you willing to buy to compensate your clients when
    their information gets stolen bytheir worst enemy, and you are found at
    fault.
    Unruh, Feb 22, 2007
    #7
  8. Richard

    Ken Guest

    On Mon, 19 Feb 2007 17:57:25 -1000, Richard
    <> wrote:

    >At the risk of being laughed/flamed into oblivion...
    >
    >I KNOW the documentation with MS Digital Persona fingerprint reader sez
    >"Don't use for security purposes", BUT if I am using TrueCrypt, and an
    >adequate strong password, then utilize the fingerprint reader in place
    >of the typed password, how secure is my TrueCrypt file?
    >
    >(I can use EITHER the typed in password or use my finger on the reader.)
    >
    >Thanks for your time...

    Actually, the main problem with fingerprint readers in my limited
    experience is the number of read failures. My laptop has a built in
    reader, but I estimate better than 80% of all reads are a failure.
    About half of the time, I get locked out of the reader by the intruder
    detection routine which means more than four failures in a row.
    Ken, Feb 22, 2007
    #8
  9. Ken <> (07-02-22 22:01:19):

    > Actually, the main problem with fingerprint readers in my limited
    > experience is the number of read failures. My laptop has a built in
    > reader, but I estimate better than 80% of all reads are a failure.
    > About half of the time, I get locked out of the reader by the intruder
    > detection routine which means more than four failures in a row.


    The problem here is that current fingerprint readers (for non-commercial
    purposes) are based on image processing. They have a certain
    granularity. If it's too fine, then there are too many false positives,
    whereas if it's not, then security is reduced drastically.

    Real fingerprint readers are based on neural networks. They are
    expensive, and you need to train it for a while with positives _and_
    negatives, until it recognizes your fingerprint and only your
    fingerprint. They have the advantage that they are very secure and
    produce almost no false positives. But as said, they are expensive and
    a lot more difficult to use.


    Regards,
    E.S.
    Ertugrul Soeylemez, Feb 23, 2007
    #9
  10. Richard

    spocko Guest

    On 20 Feb 2007 09:42:05 GMT, Juergen Nieveler
    <> wrote:

    >Richard <> wrote:
    >
    >> I KNOW the documentation with MS Digital Persona fingerprint reader sez
    >> "Don't use for security purposes", BUT if I am using TrueCrypt, and an
    >> adequate strong password, then utilize the fingerprint reader in place
    >> of the typed password, how secure is my TrueCrypt file?

    >
    >Far less secure than with just the password. The fingerprint reader is
    >just a convenience tool that removes the need to type...
    >
    >Remember, all the fingerprint reader checks is wether something that
    >looks like your fingerprint is visible to the little camera inside. And
    >something that looks like your fingerprint can easily be created by
    >using the sample fingerprints you leave on everything you touch :)
    >
    >Juergen Nieveler


    I suppose the only real use for it is for some humorous operating
    system to send the fingerprint up the line to the FBI for the usual
    control freak tax wasting program that doesn't really work all that
    well. You could see where there's some potential if it caught on
    though. Just not for you particularly.
    spocko, Feb 26, 2007
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    655
  2. open@to.707.to
    Replies:
    1
    Views:
    482
    Jeremy Boden
    Feb 10, 2005
  3. fingerprint minutiae

    , Mar 13, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    764
  4. ChaosBlizzard

    SecureIDE with Fingerprint Reader: Email from company..

    ChaosBlizzard, Nov 11, 2004, in forum: Computer Security
    Replies:
    3
    Views:
    539
    ChaosBlizzard
    Nov 14, 2004
  5. Davy

    Do DNG readers age like RAW readers/converters??

    Davy, Sep 29, 2007, in forum: Digital Photography
    Replies:
    1
    Views:
    412
    Alan Browne
    Sep 29, 2007
Loading...

Share This Page