[10247] in cryptography@c2.net mail archive
Re: biometrics
daemon@ATHENA.MIT.EDU (Ryan McBride)
Wed Jan 23 18:42:32 2002
Date: Wed, 23 Jan 2002 18:33:03 -0500
From: Ryan McBride <mcbride@countersiege.com>
To: cryptography@wasabisystems.com
Message-ID: <20020123233303.GF31282@countersiege.com>
Reply-To: Ryan McBride <mcbride@countersiege.com>
Mail-Followup-To: cryptography@wasabisystems.com
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
In-Reply-To: <000001c1a42b$cb000650$16c89c8d@PHZ>
On Wed, Jan 23, 2002 at 11:34:13AM -0500, Phillip H. Zakas wrote:
> by biometric identification there are two approaches to pursue:
>
> 1. Replace the intended biometric data, stored in the authentication
> database, of a known person with your own biometric data so that when
<snip>
> 2. Sniff packets/signals over the wire during an authentication session
<snip>
There is a third: some poorly engineered biometric applications
provide the necessary biometric data directly to the attacker: for
example I have encountered a biometric screen saver product which
works with a webcam. It only unlocks the screen when it recognises the
correct person (and automatically locks the screen when the person
leaves, a very nice feature). HOWEVER it displays a picture of the
"owner" on the screen when in the locked state. Simply point the
camera at the screen, wiggle a thin strip of paper in front of the
eyes (it uses blinking as a liveness verification) and "open sesame".
Anyone thinking about implementing a biometric system should read
Bruce Schniers piece on the subject:
http://www.counterpane.com/crypto-gram-9808.html#biometrics
Sigh... If only technology worked in real life like it does in the
movies.
-Ryan
--
Ryan T. McBride, CISSP - mcbride@countersiege.com
Countersiege Systems Corporation - http://www.countersiege.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
