RE: Hacking USB Thumbdrives, Thumprint authentication
Fingerprint data is difficult to hash since the comparators are fuzzy in
nature. Basically you are dealing with vectors or distances between minutiae
(points of interest) and their direction including slant/curve. Minutiae
readings will differ slightly with each print sampling. For accuracy each
print has to be compared to each sample seeking a match. The matching process
can be time consuming.
That being said there is a way to fuzzify a representation of the print in a
numeric form. Since the algorithms produce an encrypted output of end points
and vectors you are left to trying to attach statistical significance to the
decrypted version of the algorithm output data. Or you can fuzzify a
representation of the image itself as most API's allow capture and storage of a
bitmap of the print. The captured prints will have variance in placement on
the print window and will collect more or less white-space or skewed position.
Prints will also have more or less surface area depending on the pressure
applied during the print capture process. (This is why the algorithms look for
points of interest on the print and will refuse many finger placements during
the print enrollment/verification process.)
Since I get paid for figuring out how to index prints I'll keep the secret to
myself but you have the basics of what's needed to figure it out with the help
of a little high school math.
Enjoy~
David Cross
P.S. hashing is a bad technique in this case because hash's must produce a
unique result that you end up extremely similar inputs having vastly different
hash output values. In this case you want to reduce the pool of candidate
prints and then do a 1 on 1 comparison of the reduced set. Think more along
the lines of averages rather than hashes...
Most systems will make you enter a pin or a username and then will do the 1 on
1 comparison because of the time cost of comparing all prints in the database.
Some companies sell systems that compare all prints in the database 1 on 1 to
the input but you have the issue of buying an expensive server and you give up
the two factor safety aspect.
-----Original Message-----
From: Dave Aronson [mailto:spamtrap.secfocus@xxxxxxxxxxxxxx]
Sent: Friday, February 06, 2004 8:06 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Cc: markus-1977@xxxxxxx
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication
On Wed February 4 2004 13:37, markus-1977@xxxxxxx wrote:
> (to the best of my knowledge) there is no
> hash-function out there that will hash your fuzzy fingerprint to a
> constant value is it accepts and to something random if it rejects.
Law enforcement agencies use some kind of algorithm to convert
fingerprints to a numeric value, so that they can be easily compared.
This resulting value could of course be hashed. Question is, is this
something that (so far) a human must do, or is it automatable in real
time by a reasonably small and low-priced system?
--
Dave Aronson, Senior Software Engineer, Secure Software Inc.
(Opinions above NOT those of securesw.com unless so stated!)
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
Web: http://destined.to/program http://listen.to/davearonson