Cracking Biometric Hashes

Dan Kaminsky dan at doxpara.com
Tue Jun 28 02:12:42 EDT 2005


Ah!  I was looking for this info, and finally found it in something I
posted in an old gadget blog.  Short version, biometric hashes are
reversable, since the algorithms provide confidence levels and you can
always alter towards higher confidence.

---
It is repeated that hashes generated by biometric systems cannot be
reversed back into the biological component to be recognized in the
future. This claim is false. Several researchers have noted that
biometric algorithms, implementing fuzzy matches against fundamentally
noisy data, must inherently make their decisions with some level of
confidence. While the level of confidence is usually exported to
administrators to determine how precise the system has to be to allow or
reject a given candidate, it can also be used by an attacker to discover
whether a given small change in a sample biometric element (say, making
a person's lips wider) makes that person look more or less like the
hashed target. This approach is generally devastating, and has been used
to great effect to attack fingerprint readers
(http://chris.fornax.net/biometrics.html) and face recognizers
(http://www.site.uottawa.ca/~adler/publications/2003/adler-2003-fr-templates.pdf).


Irises are not likely to be an exception.
---

--Dan


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list