Re: Fingerprint as cryptokey

In article <KpQCg.9866$gY6.3247@xxxxxxxxxxxxxxxxxxxxxxxxxx>,
Joseph Ashwood <ashwood@xxxxxxx> wrote:
"Kim G. S. Øyhus" <kim@xxxxxxxxxxx> wrote in message
news:ebesm7$ptg$1@xxxxxxxxxxxxxxxxxxxxx
And simply using a finger to pay is very easy and convenient, thus an
advantage which can increase earnings.

Ok so that's what you're thinking. You're thinking of a shared terminal
which uses the user's fingerprint to dynamically generate the key.

No.

Shared terminals are just one possibility.
It could also be used in private terminals, such as computers, phones,
and even smart cards with fingerprint readers.

And I am not thinking about dynamically generate the key, since that
is impossible.


This has
a severe problem, in doing this you are placing enormous trust in the device
in use. This is a HUGE step backward from the security of the systems being
rolled out, in fact it places the security slightly below the debit card and
PIN system used by banks in the US, and a miniscule fraction of the security
of the smart card systems being rolled out. So basically your advantage
comes at a security price that is unacceptable for almost all purposes. The
only purposes for which I can see your system not being a security problem
is building access, but those don't need cryptographic keys.

Your conclusion do not follow.

ATMs are safer than debit cards, which is the opposite of what you claim.



Seemingly every laptop manufacturer disagrees with you, many have
integrated
fingerprint authentication into their laptops. What is the advantage of
your
method over the others?

That is a sign they agree with me, not disagree.

That is a sign that your technology needs a monetary advantage, or a major
security advantage in order to gain markey penetration. When we're
discussing the lack of advantages of your system, I strongly suggest you pay
attention.

I pay more attention to you than you to me.

As I have said, ease of use is a very important advantage, especially
for the elderly, children, and the forgetful. Nowadays people write
down their PIN codes because the have so many of them that they cannot
remember them. So a thief have a high probability of using the cards
in a stolen wallet. And a fingeprint contains more intropy than a PIN
code, making it safer.


Actually they do not, the normal public key for RSA is 65537, a public key
generated from your system will be the length of the modulus.

I know my system better than you, and my RSA keys can be any length.
Your claims about key sizes is wrong.

Then you are either a fool, or do not understand RSA, or both.

So, I am a fool who do not understand RSA while at the same time
being the author of the fastest RSA available for the ARM processor.



One
finger can have several keys.

Then you have to be storing additional data on the token, so once again,
what is your advantage?

I do not store additional data on any token because there is no token,
except for the fingerprint itself. This is the main advantage.

Then you cannot fix which of the several keys are acquired, verification
becomes weak, and the security becomes even worse. This is not forward
progress.

Keys are not aquired that way. They are just made once, and then
reused, like in most cryptographic systems, because it IS an ordinary
cryptographic system, except that it can use fingerprints.

Think RSA! The fingerprint can be the private key for several
different public keys, with different prime factors.


So what is your real benefit?

Ease of use. The finger is a token.

Everyone has this benefit, what is *your* real benefit?

Only the finger is the token. One do not have to use any other token
than the finger itself.

Then it will fail commercially, just as the iris verification piloted by
banks a few years ago failed. We as humans have had it ground into us that
we need the issued card. Your system fails this by your own admission. Your
system has additional major security flaws. Current systems have neither of
these problems. In short your system is not of substantial cryptographic
interest.

You have not made any such problems concrete, so your argument do not follow.
You have however claimed several false properties of my system.

Kim0
.

Relevant Pages

  • Re: OpenSSH on 2 servers in cluster (fail over mode)
    ... But, on the next connection, A complains that the host keys have ... But, even after restarting sshd on C, the fingerprint is ... improves security all that much. ...
    (comp.security.ssh)
  • Re: OT - Kuwait
    ... > strict security procedures to prevent unauthorized release of the keys. ... > established their authority to acquire the content of those communications ... Every one but you knows the government has been evesdropping on email & ... Social Security Administration have computer files on nearly all Americans. ...
    (alt.sports.football.pro.ne-patriots)
  • [Full-Disclosure] Security Industry Under Scrutiny: Part One
    ... >Even the kabbalah is open to anyway wishing to learn. ... The keys to compromising computer systems are placed in the ... Utopian Secure Internet will always be a thing of fantasy, and no security ...
    (Full-Disclosure)
  • Re: [Full-Disclosure] SSH vs. TLS
    ... > frowned upon by network ops and security. ... > - There must be a secure means by which all server keys are distributed to ... > appropriate ssh clients. ... > servers from using expired keys. ...
    (Full-Disclosure)
  • Re: Cant eliminate Windows Messenger icon from Notification Area.
    ... Incidentally there are 'fingerprint' keyboards around. ... possible problems associated with lax security. ... recognition, but they aren't common in the computer world yet-would be ... Regarding the speed of the boot up with the splash screen gone.....I ...
    (microsoft.public.windowsxp.messenger)