Bugtraq: RE: Hacking USB Thumbdrives, Thumprint authentication

[Charles Clancy <clancy () www missl cs umd edu>]

> > Law enforcement agencies use some kind of algorithm to convert
> > fingerprints to a numeric value, so that they can be easily compared.
> My understanding is that this is only an approximate representation --
> it's not intended to be unique, it's only a method for quickly locating
> prints similar to the suspect print.  The final comparison between a
> print that's on file and a suspect print is done by eye, and is actually
> somewhat subjective.
Most fingerprint systems convert the fingerprint image into what's called
a template.  This is a numeric representation, but comparision between
two templates is not as simple as "==".  Different portions of the
template represent different minutae on the fingerprint, and an actual
feature matching algorithm still needs to be used.  Thus, we cannot hash
these templates because there is no way to perform matching on the
template hashes.

So far nobody has produced an algorithm to reliably extract a symmetric
key from a fingerprint without any side information.  However, with some
extra information it is possible to obscure a private key on a smartcard
such that the key is only recoverable given a fingerprint that matches the
original.  This allows all the biometric processing to happen on a
smartcard (and not on an untrusted terminal) without storing the
fingerprint itself on the smartcard.  An attacker needs both the card and
your fingerprint to recover your key.

[ t. charles clancy ]--[ tcc () umd edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]------[ university of maryland, college park ]