Re: Driver for Microsoft USB Fingerprint Reader

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Joel Jaeggli <joelja@uoregon.edu>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux@horizon.com, linux-kernel@vger.kernel.org
Subject: Re: Driver for Microsoft USB Fingerprint Reader
Date: Thu, 06 Jul 2006 10:49:24 -0700	[thread overview]
Message-ID: <44AD4D24.80200@uoregon.edu> (raw)
In-Reply-To: <1152207519.13734.8.camel@localhost.localdomain>

Alan Cox wrote:
> Ar Iau, 2006-07-06 am 00:48 -0400, ysgrifennodd linux@horizon.com:
>> As far as I can tell, the only thing you want is AUTHENTICATION - you
>> want proof that you are getting a "live" scan taken from a user
>> who's present, and not a replay of what was sent last week.
> 
> Read the papers on the subject. If I can get copies of the unencrypted
> data I can use those to make fake fingers. 
> 
> A finger print is personal data, arguably sensitive personal data. That
> means there are lots of duties to store it securely. It is also very
> hard to revoke a fingerprint so theft of data is highly problematic as
> it will allow me to generate fake fingers. Theft of encrypted data might
> allow replay attacks on one PC. Big deal.

A fingerprint is a good identity token, but it's not a secret, nor is it
really feasible to protect it (IE you leave them everywhere).

see:

http://www.schneier.com/crypto-gram-9808.html#biometrics

The transmission channel for the data must be protected in some way to
prevent replay attacks. challange response, radius style shared secret,
one-time-key approach

The data itself needs to be cryptographically secured on the
authenticating side because, otherwise you can game the identity system.

A- Alice subverts the machine containing the identity management system
and uses bobs finger print data to fool the identity management system
next time.

B - Substitution, alice replaces bobs fingerprint in the identity
management system with her own, now alice is bob.

biometric data might be useful as an identy token, but if used as the
sole source of authentication data it is pretty seriously lacking.

> Alan
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

-- 
-------------------------------------------------
Joel Jaeggli (joelja@uoregon.edu)
GPG Key Fingerprint:
5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2

next prev parent reply	other threads:[~2006-07-06 17:50 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-07-06  4:48 Driver for Microsoft USB Fingerprint Reader linux
2006-07-06 12:26 ` Daniel Drake
2006-07-06 17:38 ` Alan Cox
2006-07-06 17:49   ` Joel Jaeggli [this message]
     [not found] <6vtYr-w2-5@gated-at.bofh.it>
     [not found] ` <6vFQ5-1iV-71@gated-at.bofh.it>
2006-07-06 21:39   ` Bodo Eggert
  -- strict thread matches above, loose matches on Subject: below --
2006-07-05 16:32 Daniel Bonekeeper
2006-07-03  6:51 Daniel Bonekeeper
2006-07-03  8:52 ` Daniel Drake
2006-07-03 10:04 ` Alon Bar-Lev
2006-07-03 18:04   ` Daniel Bonekeeper
2006-07-03 18:16     ` Alon Bar-Lev
2006-07-03 20:53       ` Daniel Bonekeeper
2006-07-03 21:45         ` Greg KH
2006-07-03 22:11           ` Daniel Bonekeeper
2006-07-03 22:26             ` Greg KH
2006-07-03 23:24               ` Daniel Bonekeeper
2006-07-03 23:29                 ` Greg KH
2006-07-04  0:04                   ` Daniel Bonekeeper
2006-07-04  0:13                     ` Greg KH
2006-07-05 17:58                     ` Daniel Drake
2006-07-05 18:09                       ` Daniel Bonekeeper
2006-07-05 18:55                         ` Daniel Drake
2006-07-05 19:46                           ` Daniel Bonekeeper
2006-07-05 23:23                             ` Daniel Drake
2006-07-06  2:05                               ` Daniel Bonekeeper
2006-07-06 10:35                                 ` Daniel Drake
2006-07-04  3:56               ` Daniel Bonekeeper
2006-07-04  3:58                 ` Greg KH
2006-07-03 22:35             ` Alan Cox
2006-07-03 22:49               ` Daniel Bonekeeper
2006-07-04  8:39                 ` Alan Cox
2006-07-05  4:01               ` Bill Davidsen
2006-07-05 15:55                 ` Daniel Bonekeeper
2006-07-03 11:44 ` Alon Bar-Lev
2006-07-03 15:00   ` Valdis.Kletnieks
2006-07-03 17:09     ` Alon Bar-Lev

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44AD4D24.80200@uoregon.edu \
    --to=joelja@uoregon.edu \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@horizon.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox