From owner-freebsd-security Wed Jun 19 9:20: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id BE5E237B40C for ; Wed, 19 Jun 2002 09:19:57 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 62A105361; Wed, 19 Jun 2002 18:19:54 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Eric F Crist" Cc: "'Michael Sierchio'" , "'Ryan Thompson'" , Subject: Re: Password security References: <002201c217a9$1daf1300$77fe180c@armageddon> From: Dag-Erling Smorgrav Date: 19 Jun 2002 18:19:54 +0200 In-Reply-To: <002201c217a9$1daf1300$77fe180c@armageddon> Message-ID: Lines: 47 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Eric F Crist" writes: > Of course the technology is not perfect. Things such as cuts on your > finger and blood-shot eyes can still fool these systems, but password > technology has its faults too. These are false negatives, which are annoying but tolerable. I'm more worried about false positives, and from what I can see they're far too easy to provoke. > Biometrics, on the other hand, requires a little more work. If you > couple basic username/password token systems, a hardware or address > token, such as I-button/smart card and IP address, with either a retinal > scanner or palm print, or finger print, or voice recognition, there > becomes a greater amount of homework to be done to break into the > system. Not when the biometric device is so easy to fool that it becomes practically irrelevant. Then the "passwords & fingerprints" scheme is reduced to just "passwords & warm fuzzy feelings". It has been shown empirically that "state of the art" biometric devices can be fooled by any amateur with a little ingenuity and less than $50 in supplies. Some fingerprint scanners are so bad they can be tricked into scanning and accepting the latent print left on their surface from the previous time they were used. Others will accept an image of a fingerprint lifted from, say, your coffee mug. Yet others are vulnerable to trivial replay attacks. All of them are vulnerable to fake fingers (made of silicone or agar-agar) whose "fingerprint" can be reconstructed from a mold, or from a latent fingerprint (coffee mug again) made three-dimensional with a hobby PCB etching kit. Facial recognition systems have been tricked by photographs (or video clips for those with "live subject" safeguards) of the subject. Iris recognition systems have been tricked with printouts of an image of the subject's iris, with a hole cut in the middle for the attacker to see through. The fact that vendors have reacted by either denying the results or just refusing to discuss them does not increase my faith in the biometrics industry. I will not trust any biometric device until vendors start openly acknowledging and discussing possible attacks, and publishing the methods they use to resist them. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message