Re: REVIEW: "Biometrics for Network Security", Paul Reid

From: Richard S. Westmoreland (
Date: 10/04/04

Date: Mon, 4 Oct 2004 17:06:32 -0400

"Bruce Barnett" <> wrote in message
> "Richard S. Westmoreland" <> writes:
> I was asking about the author's opinion, because this should be an
> indication of his bias and thoroughness to a topic. I'm not a
> biometric expert, but biomterics can't solve every problemn in
> isolation. An unbiased writer would cover these issues. But the
> world is filled with people who think their technology will solve
> every problem in the world.

Sorry I was going off on a tangent - I don't care so much about the book
itself, thought I'd hop into a conversation about biometrics.

> > That should prevent any kind of replay attack, and streamline the
> > without the need of an additional smart card.
> Well, how does one know the reader is trusted? I can walk up to a
> Trojan'ed reader, and it can capture my thumbprint and replay it at a
> later date.

I considered this. Some kind of CRC the reader goes through and the server
matches up a hash with the reader's internal circuitry, to confirm it is

> >The data is
> >decrypted at the server along with the ID (using the server side's
> >ID), the ID is matched up in the database to confirm validity of the
> >biometric data.
> This also requires the reader to be connected to the server in order
> to be authenticated. If the network is down, or disconnected, the
> person cannot be authenticated. So that's two potential problems.

Server or desktop/laptop - can be connected to either. If I have an RSA
SecureID, and the server is down, I'm not getting on then either. I thought
the point was authentication to the *network*? No network, then I sit and
wait until it's fixed.