Re: Fingerprint as cryptokey

"Kim G. S. Øyhus" <kim@xxxxxxxxxxx> wrote in message
news:ebesm7$ptg$1@xxxxxxxxxxxxxxxxxxxxx
And simply using a finger to pay is very easy and convenient, thus an
advantage which can increase earnings.

Ok so that's what you're thinking. You're thinking of a shared terminal
which uses the user's fingerprint to dynamically generate the key. This has
a severe problem, in doing this you are placing enormous trust in the device
in use. This is a HUGE step backward from the security of the systems being
rolled out, in fact it places the security slightly below the debit card and
PIN system used by banks in the US, and a miniscule fraction of the security
of the smart card systems being rolled out. So basically your advantage
comes at a security price that is unacceptable for almost all purposes. The
only purposes for which I can see your system not being a security problem
is building access, but those don't need cryptographic keys.

Seemingly every laptop manufacturer disagrees with you, many have
integrated
fingerprint authentication into their laptops. What is the advantage of
your
method over the others?

That is a sign they agree with me, not disagree.

That is a sign that your technology needs a monetary advantage, or a major
security advantage in order to gain markey penetration. When we're
discussing the lack of advantages of your system, I strongly suggest you pay
attention.

Actually they do not, the normal public key for RSA is 65537, a public key
generated from your system will be the length of the modulus.

I know my system better than you, and my RSA keys can be any length.
Your claims about key sizes is wrong.

Then you are either a fool, or do not understand RSA, or both.

One
finger can have several keys.

Then you have to be storing additional data on the token, so once again,
what is your advantage?

I do not store additional data on any token because there is no token,
except for the fingerprint itself. This is the main advantage.

Then you cannot fix which of the several keys are acquired, verification
becomes weak, and the security becomes even worse. This is not forward
progress.

So what is your real benefit?

Ease of use. The finger is a token.

Everyone has this benefit, what is *your* real benefit?

Only the finger is the token. One do not have to use any other token
than the finger itself.

Then it will fail commercially, just as the iris verification piloted by
banks a few years ago failed. We as humans have had it ground into us that
we need the issued card. Your system fails this by your own admission. Your
system has additional major security flaws. Current systems have neither of
these problems. In short your system is not of substantial cryptographic
interest.
Joe


.

Relevant Pages

  • Re: Fingerprint as cryptokey
    ... Metal keys can be photographed and copied from that. ... would owe if someone stole a credit card from me is $50, ... Or it could require an assosiated finger. ...
    (sci.crypt)
  • Re: Fingerprint as cryptokey
    ... I see ways around the patent, and of course ways to do it ... biometrics to get cryptographic keys. ... Later, working for Veridicom, I developed the notion of using ... finger a huge computational advantage over an attacker without ...
    (sci.crypt)
  • Re: xkb options
    ... Note that the F and J keys on the QWERTY layout have tiny bumps. ... The index finger of the left hand should rest on F, ... -> the key in the row above the home position ...
    (Debian-User)
  • Re: AoC: My 2 pennies
    ... from the home position, I much prefer to use esdf. ... remap the movement to those keys. ... ring finger on the W for forward but that feels really bad. ... The ring finger is fine. ...
    (comp.sys.ibm.pc.games.rpg)
  • Re: Fingerprint as cryptokey
    ... Metal keys have to be tried slowly. ... As for laws protecting card holders, those are not much to brag about, ... Or it could require an assosiated finger. ... many bits of entropy does the system acquire per key, ...
    (sci.crypt)