From owner-freebsd-hackers@FreeBSD.ORG Fri May 5 13:58:02 2006 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37D5316A400 for ; Fri, 5 May 2006 13:58:02 +0000 (UTC) (envelope-from fli+freebsd-hackers@shapeshifter.se) Received: from mx1.h3q.net (manticore.shapeshifter.se [212.37.5.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA9C443D46 for ; Fri, 5 May 2006 13:58:01 +0000 (GMT) (envelope-from fli+freebsd-hackers@shapeshifter.se) Received: from localhost (localhost [127.0.0.1]) by mx1.h3q.net (Postfix) with ESMTP id 354A71A770; Fri, 5 May 2006 15:57:59 +0200 (CEST) Received: from mx1.h3q.net ([127.0.0.1]) by localhost (mx1.h3q.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97930-09; Fri, 5 May 2006 15:57:58 +0200 (CEST) Received: from [10.0.0.50] (sto-nat.se.tangram-group.net [212.37.5.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.h3q.net (Postfix) with ESMTP id 25C1F1A6B2; Fri, 5 May 2006 15:57:57 +0200 (CEST) Message-ID: <445B59EE.6040701@shapeshifter.se> Date: Fri, 05 May 2006 15:58:06 +0200 From: Fredrik Lindberg User-Agent: Thunderbird 1.5.0.2 (X11/20060423) MIME-Version: 1.0 To: aanton@spintech.ro References: <00fb01c66fb2$a8e157c0$0501010a@ironman> <445A5F48.60303@spintech.ro> <200605051009.49344.doconnor@gsoft.com.au> <445AF8AB.9080008@shapeshifter.se> <445B35EA.5080009@spintech.ro> <445B48E6.3070000@shapeshifter.se> <445B544D.5070107@spintech.ro> In-Reply-To: <445B544D.5070107@spintech.ro> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at h3q.net Cc: freebsd-hackers@freebsd.org, Cesar Subject: Re: Fingerprint Authentication X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 May 2006 13:58:02 -0000 Alin-Adrian Anton wrote: > Fredrik Lindberg wrote: >> >> But that would sort of defeat the whole purpose of biometric >> authentication and you could really just use public keys instead >> which would be a lot faster and easier than scanning your finger >> at each login. :) >> > > Unless you locally encrypt your private key with information gathered by > the fingerprint reader, as a "password". > That's exactly the problem with, at least, UPEKs driver. If you scan one of your fingers twice you'll get two "different" BioAPI records. That's "different" as in two binary data blobs which aren't equal. To match these records with each other, you hand them over to the driver which, as far as I know, hand them over to the hardware which in turn performs some black magic and then tell you if the records match or not. This is actually the way BSP (Biometric Service Providers..uhh fancy names) modules for BioAPI works. The BSP "captures" a biometric record from somewhere (could be hardware or it could be software), this opaque data is then used to construct a BIR (BioAPI Record) which you store in some database. This process is called "enrollment" in BioAPI-speak. When you want to verify/match a record you let the BSP "capture" a new record (and thus creating a new BIR), you now have two BIRs which aren't bitwise equal and as they are created by a third party module you have no idea of that they contain (except for the BIR header). Then these two BIRs are handed over to the BSP module again for the match process, which will return either a positive or negative result. In UPEKs case I was told by their representative that the matching between two BIRs are done in hardware. Fredrik Lindberg