[IP] more on Biometric Innovation Breakthrough answers UK ID Card Security Fears

To: Ip ip <ip@xxxxxxxxxxxxxx>
Subject: [IP] more on Biometric Innovation Breakthrough answers UK ID Card Security Fears
From: David Farber <dave@xxxxxxxxxx>
Date: Thu, 30 Jun 2005 12:19:58 -0400
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <6.2.1.2.2.20050630104840.00bb1cd0@xxxxxxxxx>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx



Begin forwarded message:

From: Tom Goltz <tgoltz@xxxxxxxxxxxxxxxxx>
Date: June 30, 2005 11:06:57 AM EDT
To: dave@xxxxxxxxxx
Cc: Brian Randell <Brian.Randell@xxxxxxxxxxxxxxx>

Subject: Re: [IP] Biometric Innovation Breakthrough answers UK IDCard Security Fears



At 04:41 AM 6/30/2005, you wrote:

This "understated" commercial press release has been issued the very
day that the UK Parliament is debating the Government's controversial
ID Card proposals.


My bogo-meter has just jumped completely off the scale.

They say NOTHING about how they are preventing replay attacks usingduplicated fingers. So far, virtually all of the available"fingerprint sensors" have proven to be easily fooled using duplicatefingers that are trivial to manufacture. The claim that their systemwill only work with a "live finger" is completely unsupported.

The core "innovation" here appears to be that they're building theirblob using the image of multiple fingerprints in a sequencedetermined by the individual. In other words, they're going from asingle-digit PIN to a multiple-digit PIN. As in standard numericPIN's, this makes it harder to steal and reproduce the sequence, butfalls completely short of the "impossible" that they claim. All ofthe standard attacks against a multiple-digit numeric PIN that isstored in hashed form still apply here.

I also have serious questions about the usability of the proposedsystem. A significant portion of the population has drier-than-normal skin (I'm one of them), and most of the fingerprint sensorsthat I have tried have trouble "reading" my fingers. It's difficultenough to get a valid read on a single one of my fingers, let alone asequence of multiple fingers. I shudder to think about the length ofthe queues that will result from people having to fight with thefingerprint reader for many, many minutes each to get a validbiometric input to the system.

There are also no details on how their system is going to provide andenforce the promised information access controls. This is acompletely separate issue from how the fingerprint biometric iscalculated.

I'm sure Bruce Schneier could do an even more devastating job ofdebunking these guys, but this is at least a start.





-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Internet Mailing Lists vs. Specter-Leahy data security bill
Next by Date: [IP] Campaign finance "reformers" may have overstepped on Net-regs [fs]
Previous by thread: [IP] Internet Mailing Lists vs. Specter-Leahy data security bill
Next by thread: [IP] Campaign finance "reformers" may have overstepped on Net-regs [fs]
Index(es):
- Date
- Thread