1

I am wondering if a biometric device can be used to generate some entropy or key material that would be stable across each authentication.

The contrary would be for biometric devices to act like an oracle, with a simple YES/NO answer to any authentication request.

What I am thinking about would be to gather the results of a biometric authentication and always come up with the same "number", which would be unique for any given biometric input.

For example, Alice biometric ouput would always be 64489c85dc2fe0787b85cd87214b3810, without having that number stored in advance somewhere, like I would generate a key from a password to decrypt something, without having store the password or key anywhere in advance.

I'm not interested (yet) in any standards or API for this, or in implementation details like the fact that all fingers from a same person would have a different (but stable) output. My question relates to the biometric authentication process inside the device.

ixe013
  • 1,912
  • 15
  • 20
  • 2
    I wouldn't rely on the biometrics to be "stable across each authentication" as you describe - at least, not without storing some sort of data (which goes directly against your proposal) they can be validated against. Biometric inputs are not always uniform, even from the same person using the same finger/eye/whatever. Heads might be tilted, eyes might be dilated/constricted, finger swipes might be harder/softer/longer/shorter/angled, etc. This is why, for authenticator registration, you are usually required to take multiple samples. – Iszi Jun 21 '12 at 19:48
  • I like your comment, make it an answer ! – ixe013 Jun 22 '12 at 14:42
  • Take a look at the use of quantum fluctuations to create a key that is different each time but also near impossible to copy. http://www.pcmag.com/article2/0,2817,2473769,00.asp – Gabriel Fair Dec 29 '14 at 13:17

2 Answers2

2

No,

If a device sequenced the user's genome from a skin cell, the results would be the same each time. Assuming the skin cells have replicated without errors. But it seems what you are asking is impossible, since you have to have a database somewhere that stores the answer to your key.

Gabriel Fair
  • 1,495
  • 2
  • 13
  • 23
  • I guess there would be small changes near the telomeres or if new virus loads have been introduced to the DNA. But the way DNA is read by a machine involves propogation of many copies and then sequencing. – Gabriel Fair Feb 05 '15 at 21:39
  • Thus any "noise" caused by any latent virual loads, mutation, adging, or epigenome processes will be muted during the DNA amplification stage. For humans, there are estimations that something between 5 and 8% of the human genome are made of endogeneous retroviruses. – Gabriel Fair Feb 10 '15 at 19:25
1

Entropy means that you get a different and unpredictable result each time through. So using a source that is even a little bit stable somewhat defeats the purpose.

If instead you mean using biometrics as a means for verifying identify, then now we're talking about old news -- that's exactly what biometrics are for. As for how to make it work the way you say, that's just an implementation detail, though I suspect the problem would be getting a number that's stable enough to be repeatable but at the same time unique to a given user.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Right, entropy might not be the best word to describe this. What I meant is that if were to compare all keys for all users, I would see that they are totally random, i.e. there is no way to predict one even if you know all the others. – ixe013 Jun 22 '12 at 14:41