I'm looking for technical material that describes the quality of the iPhone 7 fingerprint reader, and ideally previous models as well.
My hope, is that the specification is more in alignment with NIST/FBI requirements.
Asked
Active
Viewed 912 times
2 Answers
2
I think that you are being unrealistic in your expectations I'm afraid.
Firstly, I don't think Apple release any detailed technical/security specifications for any of their Touch ID releases.
Secondly, there are no mobiles at all in the FIPS database and it is unlikely that any could be realistically manufactured to FIPS 201 and remain competitively priced.
Thirdly, Apple themselves don't really pass off Touch ID as a high-security feature. From their latest iOS Security spec: "Other features, such as Touch ID, enhance the user experience by making it simpler and more intuitive to secure the device". In other words, Touch ID is a convenience to the user which may make it more likely that users will use some security.
If you need FIPS 201, use a properly secured external device.
The ease of capture of a persons fingerprints and the inability to change them if compromised (!) should tell you everything you need to understand about using fingerprints in high-security situations. Don't. Use them to make life easier for users as one factor where appropriate.
Julian Knight
- 7,092
- 17
- 23
-
Not sure who voted this down but it would be polite as well as helpful to explain why so that I can improve the answer. – Julian Knight Sep 13 '16 at 11:32
-
I down voted because the question focused on technical specifications. Second, I found some material on it and posted as an answer. Finally, the entire answer is focused on my side desire for high quality readings. That was not my core question. – makerofthings7 Sep 25 '16 at 20:14
1
Source: http://www.apple.com/business/docs/iOS_Security_Guide.pdf
Touch ID can be trained to recognize up to five different fingers. With one finger enrolled, the chance of a random match with someone else is 1 in 50,000. However, Touch ID allows only five unsuccessful fingerprint match attempts before the user is required to enter a passcode to obtain access.
.
The Secure Enclave is responsible for processing fingerprint data from the Touch ID sensor, determining if there is a match against registered fingerprints, and then enabling access or purchase on behalf of the user. Communication between the A7 and the Touch ID sensor takes place over a serial peripheral interface bus. The A7 forwards the data to the Secure Enclave but cannot read it. It's encrypted and authenticated with a session key that is negotiated using the device's shared key that is built into the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrap- ping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.
The 88-by-88-pixel, 500-ppi raster scan is temporarily stored in encrypted memory within the Secure Enclave while being vectorized for analysis, and then it's discarded after. The analysis utilizes subdermal ridge flow angle mapping, which is a lossy process that discards minutia data that would be required to reconstruct the user's actual finger- print. The resulting map of nodes never leaves iPhone 5s, is stored without any identity information in an encrypted format that can only be read by the Secure Enclave, and is never sent to Apple or backed up to iCloud or iTunes.
On devices with an A7 processor, the Secure Enclave holds the cryptographic class keys for Data Protection. When a device locks, the keys for Data Protection class Complete are discarded, and files and keychain items in that class are inaccessible until the user unlocks the device by entering their passcode. On iPhone 5s with Touch ID turned on, the keys are not discarded when the device locks; instead, they're wrapped with a key that is given to the Touch ID subsystem. When a user attempts to unlock the device, if Touch ID recognizes the user's finger- print, it provides the key for unwrapping the Data Protection keys and the device is unlocked. This process provides additional protection by requiring the Data Protection and Touch ID subsystems to cooperate in order to unlock the device. The decrypted class keys are only held in memory, so they're lost if the device is rebooted. Additionally, as previously described, the Secure Enclave will discard the keys after 48 hours or 5 failed Touch ID recognition attempts.
Ridge flow angle mapping: A mathematical representation of the direction and width of the ridges extracted from a portion of a fingerprint.
makerofthings7
- 50,090
- 54
- 250
- 536