biometrics

Jaap-Henk Hoepman hoepman at cs.utwente.nl
Fri Jan 25 13:22:31 EST 2002 

As much as i have my doubts about biometric systems i cannot let the below
pass. 

On Wed, 23 Jan 2002 21:11:23 +0100 "Perry E. Metzger" <perry at wasabisystems.com> writes:
> However, as soon as you lose physical control over the device doing
> the measurements or their communications path biometrics become worse
> than useless. As one example, they're useless for authenticating
> over-the-net bank account access -- the device on your desk that your
> bank helpfully provides to scan your eye might not even be attached
> when the cracker's software helpfully provides forged information down
> the line. "Liveness" tests are not useful if you don't even know if
> the biometric hardware at the other end is intact. Anything in a
> user's location is by definition untrustworthy in this sense.

Of course (and i think Dorothy mentioned this too), the measuring device and
it's connection to the veryfying system must be properly protected. In case of
the system Perry describes, a secure and fresh (ie fresh session key) link
should be setup between the measuring device and the bank, so that
eavesdropping _and_ replay/forgery is impossible. Even though most biometric
systems may not implement this (i simply don't know), this is not a weakness of
biometric systems per se.

[Moderator's note: er, HUH? How does the link being realtime assure
that the remote side isn't simply generating iris images and sending
them to you? It doesn't. Biometrics are worthless except when the
entire system is completely physically secure. --Perry]

Jaap-Henk
 
-- 
Jaap-Henk Hoepman             | Come sail your ships around me
Dept. of Computer Science     | And burn your bridges down
University of Twente          |       Nick Cave - "Ship Song"
Email: hoepman at cs.utwente.nl === WWW: www.cs.utwente.nl/~hoepman
Phone: +31 53 4893795 === Secr: +31 53 4893770 === Fax: +31 53 4894590
PGP ID: 0xF52E26DD  Fingerprint: 1AED DDEB C7F1 DBB3  0556 4732 4217 ABEF




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list