One of the weaknesses of biometric security systems is that you can’t just replace your finger or your eye if someone figures out how to compromise the system, like you can with a password. IBM researchers have applied more sophisticated cryptographic theory to the problem, providing a way to “construct a kind of technological screen separating a user’s actual biological identification information from the records stored in profile databases.”
WOW, that bites big time! How could miss that? Maybe because they don’t have very many 64bit apps to test with if any.
Oops, I replied to the wrong post. I WAS replying to the Apple breaks 64bit apps with the new security update.
So IBM has come up with a system that thwarts attacks on biometric systems where the attack tries to reverse-engineer the fingerprint from the biometric template?
That doesn’t actually solve the problem of biometrics being non-replacable. Nobody attacks biometric systems that way – they attack them by creating replicas of what’s being measured or by getting the original by force. Manipulating the biometric template does nothing against those types of attacks.
well it atleast changes the way people have to think about security. no longer can someone do a clean crack of a server and get away. now they have to physicaly locate the a user with the right access rights and then get the biometric info from that source.
it basicly moves the security to an area that we as humans are very used to. protection of our own bodys.
> it basicly moves the security to an area that we as
> humans are very used to. protection of our own bodys.
Does it? If I go to your keyboard at work, I’d likely find dozens of fingerprints. It’s not a matter of protecting your body, you leave them everywhere whether you like it or not.
In theory, given the right technology, I should be able to transfer your finger prints onto a material that mimics human tissue, like ballistic gel, and create an artificial finger that could pass a finger print scanner.
If this theory could be put into practice, you’d be SOL.
ok then make that our physical enviroment. as in, we are better at protecting something physical then something thats just stored electronicly.
allso, the person doing the crime will have to get close to you. no more russian hackers running of with 2 million us password or something like that
and i recall reading about some people melting down jelly bears to create a fake finger shape. this they then pressed against a print reader after it was used and got logged in.
point is to decrase at what distance the crime can be commited. alltho the best ones are allways done onsite
but then again, there is nothing thats known as perfect security. if so, then there would be zero crime. the weakest link is allways the human one…
Exactly. Just because you can SHA-1 a password doesn’t mean you never need to be able to change it. Once your fingerprint is compromised, it’s compromised for good. You can’t call Visa and have it cancelled.
Plus, getting at someone’s fingerprint is easier than getting at his password (just place a hidden fingerprint reader on a door handle). It might be better to build scanners for some of the less exposed body parts, if you know what I mean.
One of the best alternatives I’ve heard is the lasers that inscribe data on a person’s fingernail. Its a hybrid of “what you have/what you are”. It can be changed. In fact, HAS to be updated regularly as a person’s nail grows out. Put the data on multiple hands for redundancy to protect against damaged nails.
There’s still some difficulty because the device that inscribes the fingernails has to be protected or secured… but worth exploring.
I don’t see how this “breakthrough” is different from storing password hashes, as has been done on most computer systems for years.
So they get the fingerprint data, pass it through some one-way hash function (MD5 or SHA1), and then store it? That doesn’t sound new to me.
It does not matter how much security you have on the keypad, if a credit card can open the door.
hobgoblin, you may have hit the nail on the head.
point is to decrase at what distance the crime can be commited. alltho the best ones are allways done onsite
That being said, wouldn’t it make much more difficult to break security by combining biometric authentication with user/pass unique to that biometric information? It would seem to me that relying on biometric means only as access control has a big problem once the biometric is compromised. The person owning that biometric, is forever compromised and cannot be allowed in unless another biometric submission from that person is accepted. But in combination with user/pass a biometric is only one part of the equation. If my fingerprint is stolen, once the attack is hopefully resolved, then I could be given a new user/pass unique to the same biometric. I know I’m a novice compared to many of you here in this field, so I know this is like sticking my marshmellow in a blast furnace. I’m gonna get flamed.
I know I’m a novice compared to many of you here in this field, so ….
You are actually more right than you know.
Most serious (ie. DoD level) authentication mechanisms require whats called “two-factor authentication”.
The factors are:
* Something you know (ie. password)
* Something you have (ie. smartcard)
* Something you are (ie. fingerprint)
In any serious use of biometrics, more than one factor would be employed would not be the only factor…for the very reasons that some of the more hysterical members of this board are complaining about (eg. once biometrics is compromised, its cracked for good).
However, using the two-factor approach, just because you have his fingerprint or password, or even fingerprint AND password is no reason to scream that the sky is falling. Pick a new password and move on….
Why stick with JUST one form, why not use a combination of finger print, iris scan, and maybe even a voice pass code or password typed. The trick is to make your security as good as possible with out ending up with a mile long line of employs trying to enter the building. I heard iris scan is flawed, well why throw the tech away when you can just double up? It isn’t perfect but better than just prints or iris scans. Add in a voice pass code or keyed in password and your about as secure as you can get with out requiring long enter times.