Re: REVIEW: "Biometrics for Network Security", Paul Reid

From: Richard S. Westmoreland (richardsw_at_suscom.net)
Date: 10/04/04


Date: Mon, 4 Oct 2004 17:06:32 -0400


"Bruce Barnett" <spamhater103+U041004162047@grymoire.com> wrote in message
news:cjscvg$qqm$0$208.20.133.66@netheaven.com...
> "Richard S. Westmoreland" <richardsw@suscom.net> writes:
>
> I was asking about the author's opinion, because this should be an
> indication of his bias and thoroughness to a topic. I'm not a
> biometric expert, but biomterics can't solve every problemn in
> isolation. An unbiased writer would cover these issues. But the
> world is filled with people who think their technology will solve
> every problem in the world.

Sorry I was going off on a tangent - I don't care so much about the book
itself, thought I'd hop into a conversation about biometrics.

>
> > That should prevent any kind of replay attack, and streamline the
process
> > without the need of an additional smart card.
>
> Well, how does one know the reader is trusted? I can walk up to a
> Trojan'ed reader, and it can capture my thumbprint and replay it at a
> later date.

I considered this. Some kind of CRC the reader goes through and the server
matches up a hash with the reader's internal circuitry, to confirm it is
untainted.

>
>
> >The data is
> >decrypted at the server along with the ID (using the server side's
expected
> >ID), the ID is matched up in the database to confirm validity of the
> >biometric data.
>
>
> This also requires the reader to be connected to the server in order
> to be authenticated. If the network is down, or disconnected, the
> person cannot be authenticated. So that's two potential problems.

Server or desktop/laptop - can be connected to either. If I have an RSA
SecureID, and the server is down, I'm not getting on then either. I thought
the point was authentication to the *network*? No network, then I sit and
wait until it's fixed.

Rick