biometrics (addenda)
lynn.wheeler at firstdata.com
lynn.wheeler at firstdata.com
Mon Jan 28 16:31:35 EST 2002
so a counter measure for the card stolen scenario ... just to make the
fingerprint compromise of the card slightly harder than the common scenario
of the PIN compromise with a PIN written on the card (this is in addition
to various liveness tests built into sensors).
... lets say you register the the little finger and the finger next to the
little finger from the hand that you are least likely to use when handling
a card (or water glass). Either of those two fingers are used
in the chip scenario case, both the PIN/password and biometric are claimed
to have a non-shared-secret paradigm implementation .... aka PIN/password
and/or the biometric are registered in your card .... not someplace else.
The issue of the card operating is based on the card comparing the
information.
The assumption is
1) chip-based
2) non-shared-secret paradigm
3) common situation where people write PIN on the card
4) compromise starts with the minimum of stealing the card first.
So the issue for this non-shared-secret, "something you have" paradigm is
can "something you are" be used in place of "something you know" (and the
associated short-comings) and be more difficult to compromise (not
impossible, just more difficult ... and therefor cost more for the
attacker).
Now, a person that absolutely guarentees that they will use a minimum of
8digit random PIN and never write it anywhere .... could elect to have a
card that was PIN operated rather than biometric operated. In the card
case, the transaction works the same .... it is just a infrastructure issue
of whether it wants PIN'ed chips or biometric chips. There seems to be a
large body of people where biometric chips is much less subject to
compromise (because of various human memory issues).
random shared secret &/or biometric refs:
http://www.garlic.com/~lynn/aadsmore.htm#bioinfo1 QC Bio-info leak?
http://www.garlic.com/~lynn/aadsmore.htm#biosigs biometrics and electronic
signatures
http://www.garlic.com/~lynn/aadsmore.htm#biosigs2 biometrics and electronic
signatures
http://www.garlic.com/~lynn/aadsm2.htm#privacy Identification and Privacy
are not Antinomies
http://www.garlic.com/~lynn/aadsm2.htm#stall EU digital signature
initiative stalled
http://www.garlic.com/~lynn/aadsm2.htm#strawm3 AADS Strawman
http://www.garlic.com/~lynn/aadsm2.htm#pkikrb PKI/KRB
http://www.garlic.com/~lynn/aadsm3.htm#cstech4 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech5 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech6 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech8 cardtech/securetech & CA PKI
http://www.garlic.com/~lynn/aadsm3.htm#cstech12 cardtech/securetech & CA
PKI
http://www.garlic.com/~lynn/aadsm3.htm#kiss2 Common misconceptions, was Re:
KISS for PKIX. (Was: RE: ASN.1 vs XML (used to be RE: I-D ACTION
:draft-ietf-pkix-scvp-00.txt))
http://www.garlic.com/~lynn/aadsm3.htm#kiss8 KISS for PKIX
http://www.garlic.com/~lynn/aadsm3.htm#kiss9 KISS for PKIX ....
password/digital signature
http://www.garlic.com/~lynn/aadsm4.htm#7 Public Key Infrastructure: An
Artifact...
http://www.garlic.com/~lynn/aadsm5.htm#shock revised Shocking Truth about
Digital Signatures
http://www.garlic.com/~lynn/aadsm5.htm#shock2 revised Shocking Truth about
Digital Signatures
http://www.garlic.com/~lynn/aadsm6.htm#websecure merchant web server
security
http://www.garlic.com/~lynn/aadsm6.htm#terror [FYI] Did Encryption Empower
These Terrorists?
http://www.garlic.com/~lynn/aadsm7.htm#cryptofree Erst-Freedom: Sic Semper
Political Cryptography
http://www.garlic.com/~lynn/aadsm7.htm#rhose9 when a fraud is a sale, Re:
Rubber hose attack
http://www.garlic.com/~lynn/aadsm7.htm#rhose12 when a fraud is a sale, Re:
Rubber hose attack
http://www.garlic.com/~lynn/aadsm7.htm#rhose13 when a fraud is a sale, Re:
Rubber hose attack
http://www.garlic.com/~lynn/aadsm8.htm#softpki8 Software for PKI
http://www.garlic.com/~lynn/aadsm8.htm#softpki11 Software for PKI
http://www.garlic.com/~lynn/aadsm8.htm#3dvulner 3D Secure Vulnerabilities?
http://www.garlic.com/~lynn/aadsm9.htm#carnivore2 Shades of FV's Nathaniel
Borenstein: Carnivore's "Magic Lantern"
http://www.garlic.com/~lynn/aadsm9.htm#cfppki9 CFP: PKI research workshop
http://www.garlic.com/~lynn/aadsm10.htm#tamper Limitations of limitations
on RE/tampering (was: Re: biometrics)
http://www.garlic.com/~lynn/aadsm10.htm#biometrics biometrics
http://www.garlic.com/~lynn/aepay3.htm#votec (my) long winded observations
regarding X9.59 & XML, encryption and certificates
http://www.garlic.com/~lynn/aepay3.htm#mcomm (my) misc. additional comments
on X9.59 issues.
http://www.garlic.com/~lynn/aepay3.htm#aadsrel1 AADS related information
http://www.garlic.com/~lynn/aepay3.htm#passwords Passwords don't work
http://www.garlic.com/~lynn/aepay3.htm#x959risk3 Risk Management in AA /
draft X9.59
http://www.garlic.com/~lynn/aepay4.htm#nyesig e-signatures in NY
http://www.garlic.com/~lynn/aepay6.htm#x959b X9.59 Electronic Payment
standard issue
http://www.garlic.com/~lynn/aepay6.htm#harvest2 shared secrets, CC#, &
harvesting CC#
http://www.garlic.com/~lynn/aepay6.htm#cacr7 7th CACR Information Security
Workshop
http://www.garlic.com/~lynn/aepay6.htm#erictalk Announce: Eric Hughes
giving Stanford EE380 talk this
http://www.garlic.com/~lynn/aepay6.htm#dspki5 use of digital signatures and
PKI (addenda)
http://www.garlic.com/~lynn/aepay7.htm#ssexploit Shared Secret exploit
http://www.garlic.com/~lynn/aepay7.htm#netbank net banking, is it safe??
... power to the consumer
http://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities?
Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/aepay7.htm#3dsecure2 3D Secure Vulnerabilities?
Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/aepay8.htm#vulner account number & shared
secret vulnerabilities
http://www.garlic.com/~lynn/aepay10.htm#5 I-P: WHY I LOVE BIOMETRICS BY
DOROTHY E. DENNING
http://www.garlic.com/~lynn/aepay10.htm#8 FSTC to Validate WAP 1.2.1
Specification for Mobile Commerce
http://www.garlic.com/~lynn/99.html#157 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#160 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#165 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#166 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#168 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#170 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#172 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#189 Internet Credit Card Security
http://www.garlic.com/~lynn/99.html#214 Ask about Certification-less Public
Key
http://www.garlic.com/~lynn/99.html#226 Attacks on a PKI
http://www.garlic.com/~lynn/99.html#228 Attacks on a PKI
http://www.garlic.com/~lynn/99.html#235 Attacks on a PKI
http://www.garlic.com/~lynn/99.html#238 Attacks on a PKI
http://www.garlic.com/~lynn/2000.html#39 "Trusted" CA - Oxymoron?
http://www.garlic.com/~lynn/2000.html#57 RealNames hacked. Firewall issues.
http://www.garlic.com/~lynn/2000.html#60 RealNames hacked. Firewall issues.
http://www.garlic.com/~lynn/2000b.html#53 Digital Certificates-Healthcare
Setting
http://www.garlic.com/~lynn/2000b.html#90 Question regarding authentication
implementation
http://www.garlic.com/~lynn/2000b.html#92 Question regarding authentication
implementation
http://www.garlic.com/~lynn/2000f.html#1 Why trust root CAs ?
http://www.garlic.com/~lynn/2000f.html#4 Why trust root CAs ?
http://www.garlic.com/~lynn/2000f.html#7 Why trust root CAs ?
http://www.garlic.com/~lynn/2000g.html#5 e-commerce: Storing Credit Card
numbers safely
http://www.garlic.com/~lynn/2000g.html#33 does CA need the proof of
acceptance of key binding ?
http://www.garlic.com/~lynn/2000g.html#34 does CA need the proof of
acceptance of key binding ?
http://www.garlic.com/~lynn/2000g.html#49 Use of SET?
http://www.garlic.com/~lynn/2001c.html#30 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#34 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#39 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#40 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#41 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#42 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#54 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001c.html#60 PKI and Non-repudiation
practicalities
http://www.garlic.com/~lynn/2001f.html#25 Question about credit card number
http://www.garlic.com/~lynn/2001f.html#31 Remove the name from credit
cards!
http://www.garlic.com/~lynn/2001g.html#11 FREE X.509 Certificates
http://www.garlic.com/~lynn/2001g.html#38 distributed authentication
http://www.garlic.com/~lynn/2001h.html#5 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001h.html#7 PKI/Digital signature doesn't work
http://www.garlic.com/~lynn/2001h.html#58 Net banking, is it safe???
http://www.garlic.com/~lynn/2001i.html#9 Net banking, is it safe???
http://www.garlic.com/~lynn/2001i.html#16 Net banking, is it safe???
http://www.garlic.com/~lynn/2001i.html#25 Net banking, is it safe???
http://www.garlic.com/~lynn/2001i.html#35 Net banking, is it safe???
http://www.garlic.com/~lynn/2001i.html#36 Net banking, is it safe???
http://www.garlic.com/~lynn/2001i.html#57 E-commerce security????
http://www.garlic.com/~lynn/2001j.html#0 E-commerce security????
http://www.garlic.com/~lynn/2001j.html#2 E-commerce security????
http://www.garlic.com/~lynn/2001j.html#9 E-commerce security????
http://www.garlic.com/~lynn/2001j.html#44 Does "Strong Security" Mean
Anything?
http://www.garlic.com/~lynn/2001j.html#49 Are client certificates really
secure?
http://www.garlic.com/~lynn/2001j.html#52 Are client certificates really
secure?
http://www.garlic.com/~lynn/2001k.html#1 Are client certificates really
secure?
http://www.garlic.com/~lynn/2001k.html#34 A thought on passwords
http://www.garlic.com/~lynn/2001k.html#58 I-net banking security
http://www.garlic.com/~lynn/2001k.html#61 I-net banking security
http://www.garlic.com/~lynn/2001m.html#5 Smart Card vs. Magnetic Strip
Market
http://www.garlic.com/~lynn/2001m.html#41 Solutions to Man in the Middle
attacks?
http://www.garlic.com/~lynn/2001n.html#94 Secret Key Infrastructure plug
compatible with PKI
http://www.garlic.com/~lynn/2002.html#9 How to get 128-256 bit security
only from a passphrase?
http://www.garlic.com/~lynn/2002.html#39 Buffer overflow
<sidney at sidney.com> on 1/28/2002 10:47 am wrote:
On Sun, 2002-01-27 at 14:07, lynn.wheeler at firstdata.com wrote:
> The issue then is that biometric represents a particularly
> difficult shared-secret that doesn't have to be memorized
Shared "secret"? People don't leave a copy of their PIN on every water
glass they use.
-- sidney
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list