Re: Driver for Microsoft USB Fingerprint Reader

[Daniel Drake <dsd@gentoo.org>]

linux@horizon.com wrote:
> I utterly fail to see why multiple, generally knowledgeable people are
> claiming that encryption in a fingerprint scanner is desirable.
> 
> As far as I can tell, the only thing you want is AUTHENTICATION - you
> want proof that you are getting a "live" scan taken from a user
> who's present, and not a replay of what was sent last week.
> 
> This is called "freshness" and is usually provided by including a
> random "nonce" (known in other contexts as "magic cookie") in the
> authenticated data.

The Digital Persona readers apparently use a challenge-response 
authentication scheme for the encryption. I think I know the 
challenge-sending and response-reading command structure but have not 
yet examined their effect on the encrypted fingerprint data.

> Not that I expect "A-1 Computer Corporation" in Shenzhen to have a clue
> about these things, but you'd think that Microsoft would have one or
> two competent employees left on the payroll.

Now theres an interesting story in this area. The Microsoft fingerprint 
readers are based on Digital Persona devices, and actually they seem to 
be completely identical. But when comparing bus traffic for the DP 
devices vs the MS devices, the DP devices send encrypted fingerprint 
data and the MS devices send it as unencrypted 8-bit greyscale.

Anyway, further investigation shows a 1 bit difference in the firmware 
uploaded to each device, and I have confirmed that this bit turns 
encryption on and off.

IOW, MS's device are capable of encryption but they explicitly turned it 
off at the firmware level.

Daniel