RE: Physical Access Control

From: Jeff Kerber (jkerber@kerber-family.net)
Date: 03/29/02 

From: "Jeff Kerber" <jkerber@kerber-family.net>
To: <security-basics@securityfocus.com>
Date: Fri, 29 Mar 2002 11:03:02 -0600

I spent the last couple of years working for an advanced authentication
infrastructure company that had biometrics as part of the solution...

There are multiple options in biometrics: facial, voice, fingerprint and
iris are the most cost effective solutions AND non intrusive. Retinal scans
are extremely accurate, but painful to the end-user.

There are really two types of fingerprint systems, optical and IR-based.
Optical is easy to fool and is basically two-dimensional when looking at
minutia points. IR-based uses the saline between the layers of the skin to
give more measurements and can include temperature, etc.

For the purposes of physical access or even information access, a system
that does not capture the actual image is far superior. The measurements are
taken and stored as an algorithm which can not (to date) be reversed
engineered to a viable fingerprint image. The algorithm is then encrypted
(in some cases using 3-DES and Blowfish) and stored in a secure database.

As for chopping off an individual's finger (a la "Alias" on ABC), that would
work in most scenarios. Studies have shown the finger will provide a viable
image for about two hours. Don't ask me how they did these studies -- I
don't know and the thought of how kind of grosses me out!

Hope this brief explanation helps.

Jeff

-----Original Message-----
From: Kevin Brown [mailto:kevin@kbrownfox.net]
Sent: Thursday, March 28, 2002 9:18 PM
To: Daniel Ferguson; security-basics@securityfocus.com
Subject: RE: Physical Access Control

No offense, but I think you've been watching too many spy movies. ;-)
Realizing the millions invested in biometrics, someone has already
considered this. Better biometric systems actually take into consideration
things such as pulse, blood pressure, or body temperature.

The bigger concern with biometrics is not the capturing of the biological
data, but rather with how that information is stored on the computer. See,
even though a fingerprint is very unique, the uniqueness of the fingerprint
is not necessarily captured by the computer. If the biometric software only
stores a dozen key points of reference, than cracking that becomes trivial.

Also, if the database that the "digital fingerprint" is stored in is not
well secured, it may be easy to capture and replicate that information.

Of course, this is all hypothetical. I don't know of anyone actually
exploiting these types of vulnerabilities.

Think of it this way. If you don't mind a little cliché, a chain is only as
strong as its weakest link. Your fingerprint is the strongest link in the
biometric chain, so attack a different link.

I'd be curious to hear from any folks on this list who work with biometrics
to explain in better detail how these issues are addressed. These are
concerns that were brought up to me at one time by another security
professional. I'd be curious to hear someone help sort fact from fiction.

Brownfox

-----Original Message-----
From: Daniel Ferguson [mailto:daniel.ferguson@willowmead.org]
Sent: Thursday, March 28, 2002 2:32 PM
To: security-basics@securityfocus.com
Subject: RE: Physical Access Control

fingerprint access control, i cant help you much on where to find the
products im afraid.... but i have to say the idea of fingerprint control
frightens me. If people break into your building and demand entry to a room,
instead of the employee handing over for instance... a swipe card, the
attackers simply have to chop off the finger. I know what id rather hand
over... :)

Relevant Pages

  • RE: Physical Access Control
    ... > Subject: RE: Physical Access Control ... > Realizing the millions invested in biometrics, ... > the fingerprint ...
    (Security-Basics)
  • RE: Hacking USB Thumbdrives, Thumprint authentication
    ... applications using fingerprint readers before, ... Many of the fingerprint authentication systems do encrypt the ... biometrics can get a deFacto standard in the security industry. ... There are a few things that are very disturbing about Biometrics (even ...
    (Bugtraq)
  • Re: Password security
    ... Biometrics, but one thing that scares me about them ... once your fingerprint is stolen it can never be ... things then replay attacks can follow you for years. ... > I will not trust any biometric device until vendors ...
    (FreeBSD-Security)
  • Re: Yahoo Messenger Stale Sessions
    ... I also register those zombie sessions here. ... Connections i've registered that would last a long time: ... } about fingerprint}> scanners is:}> ... } will be based on}> biometrics, ...
    (Security-Basics)
  • RE: Physical Access Control
    ... The bigger concern with biometrics is not the capturing of the biological ... even though a fingerprint is very unique, ... Subject: Physical Access Control ...
    (Security-Basics)