7

Is there any way to cryptographically hash a human thumbprint into a form that can be consistently reproduced by thumbprint readers?

Assuming that it would be possible to create a database of thumbprint-hashes, my intent is to salt that hash with a "something you know", preventing the thumbprint database to be used for anything else other than authentication.

Question

  • Is it reasonable to "salt" a hash(human thumbprint) and use that for authentication?

  • Are there any technical requirements (resolution, datapoints per finger, etc) that would ensure accuracy across devices?

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • Related, from yesterday. [Is it possible to reliably derive a key from a biometric fingerprint?](http://security.stackexchange.com/q/42185/12) – Xander Sep 13 '13 at 18:07
  • 1
    You assume the finger is still attached to the original owner. For many counterexamples see popular TV, including Fringe, Red Dwarf, and I'm sure many others. – Jim Garrison Sep 13 '13 at 21:22

4 Answers4

12

As @Xander points out, a very similar question has been asked yesterday. Indeed:

  • If you can derive a key from a fingerprint, then you can hash that key and get a hash value.
  • If you can hash a fingerprint, you can use the hash value as a key.

So they really are the same question. And the answer is: people are working on it, it does not work well yet, but might improve over years.

I would like, though, to point out something important: a "something you know" has any value for authentication only because it is also "something that the attacker does not know". It is the secrecy which confers the power.

A fingerprint, like other biometric measures, does not really work on secrecy (although many systems try to use it that way). The important characteristic of a fingerprint is that it is attached to a human: when a human being uses his own finger on a reader, he cannot help but using his own fingerprint. Indeed, that's where the innovation is in modern fingerprint readers: in the systems which try to ensure that what they are detecting is really a human finger still attached to its nominal owner's body.

Secrecy is not a big part of fingerprints for security. Your fingerprints are not secret: you leave them everywhere, on your car, on every door handle that you go through, on the elevator buttons, on every glass that you use in a bar... If a fingerprint can be turned into a key (or hash value, regardless of how you want to see it), then that key can be rebuilt offline, from any copy of one of these prints. There is very little secret here.

To sum up: even if you could reliably turn a fingerprint into a key, it would not be a good idea to use it as a secret key. It would be useful as an indexing key, though: not for security, but for performance.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

Consider that a cryptographic hash algorithm excels at producing different digest values for even the slightest differences in inputs. Even a 1 bit change in the input causes a cascade of changes yielding a completely different hash value. Pre-image resistance is a necessary characteristic for a cryptographic hash algorithm.

Now look at fingerprints. One problem with fingerprints is that the relationships between identifying marks is not guaranteed to be constant between readings. Your finger might be slightly swollen due to varying levels of fluids in your body, or aligned ever so slightly different between sensor elements, or even have a piece of dirt on it, and that could be just enough difference to cause a element's worth of difference between readings. Remember, even one bit of change will mean a completely different hash is output. So a precise image reading or snapshot of a print can't be directly hashed.

However, the image can be processed. Every print has a set of "landmarks", which are specifically identifiable points. Bifurcations are where two ridges join together, a rod is where a ridge terminates, an island is a short little ridge, and so on. These landmarks can be identified, and can be measured in relationship to each other. If you were to lay a thumbprint out on a grid, for example, you could identify each cell with the landmarks it contains.

The problem then becomes aligning the grid. If the grid isn't identically laid out each time a print is read, you would not generate the same hash.

Prints come in only three basic shapes: arches, loops, and whorls. It seems like it could be possible to use the defining characteristics of all arch-type prints (for example) to produce three needed reference points, and thus align the grid. You then process it and identify all possible landmarks. But then what? What assurance do you have that every landmark has landed in the same cell every time? If you try to establish a fuzzy zone around the gridlines, how do you know which landmarks are just barely falling into (or out of) the fuzzy zone?

(The same concern holds true if you try to use radials from the center of the reference points - how much tolerance do you build into the vectors?

The bottom line is you will likely find it hard to get the exact same value out of the hash every single time, because the prints are never precisely lined up in a repeatable fashion.

So how could you possibly use hashes to keep the prints secure? When the user initially registers their print, you use the same grid-based scheme to analyze it, and produce a hash. You then analyze the landmarks falling in the potentially fuzzy zones, and compute a distinct hash for each possible permutation. You'll quickly build a large set of hashes that all represent the potential values of one user's print. Later, when a user's print is read and hashed, you look it up in the full set of hashes on file, and identify the user.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • That is the same answer that I came up with immediately before reading yours. If 1000 samples would be enough then this answer would work. – polcott May 19 '21 at 15:54
  • I am looking for a way to make elections totally secure and wide open. If the above answer would work then: People could vote from their smart phones and the system could be sure of the identity of the voter. – polcott May 19 '21 at 15:54
  • 1
    @polcott , unfortunately positive user identification is only one trivial part of the problem of electronic voting. How do you guarantee the phone isn’t infested with malware that might change the vote before sending it? How does a phone enforce voter secrecy, ensuring that the voter isn’t being pressured by an unseen person to vote a certain way? How are audits conducted when the systems used aren’t even visible to the auditors? – John Deters May 19 '21 at 16:05
  • All but one of those issues seem to be handled by the same HTTPS infrastructure used for buying things online using a credit card. – polcott May 21 '21 at 21:15
  • Not even close to the same thing. There has been a tremendous amount of work put into studying election security; and most of the big problems aren’t even technical, they’re human and political. Please read this study titled “Securing the Vote” from the National Academies of Science, Engineering, and Medicine, available for free download at https://doi.org/10.17226/25120 before you spend too much more time on a problem that can’t use this solution. – John Deters May 21 '21 at 23:39
  • Wow, looks great and I got the free copy. – polcott May 22 '21 at 00:08
0

John Deters' answer largely coincides with my understanding of the issues.

The only difference may be that the final observation (a clever brute force scheme to create a whole array at enrolment of 'fuzzy zones' in the derived template for 'each possible permutation') does not seem consistent with the difficulties identified in the rest of the post: the tiniest variation in a single bit of the original raw image creates an unrelated hash, and while encoding into a template from pattern analysis will reduce the impact of this (since the biometric shape grid information will have many fewer bits of data than the underlying higher resolution bit-mapped image), you are still looking for a precise bit-for-bit identical second reading to generate the matchable hash. Even where you have many rather than just one, this may not avoid the difficulty.

As the number of 'all possible permutations' in your starting image, and of the family of potential future images, rises, and even though this is way smaller than the full set of all values in a given resolution's answer space, there seem to be at least two problems:

1) the potential for false positives increases as the full set of possible matches for another person overlaps our own very large set, and thus

2) the value of treating this as a 'hashing' problem recedes - it is probably less completely intractable than hashing pictures of the same person, but it appears to be not in the class of problems where hashed versions of identifiers are practically useful and reliable.

user127327
  • 1
0

Hashing a mathematical model of a thumbprint pattern may provide a sufficient solution. A mathematical model of a thumbprint would focus only on the key distinguishing features of the fingerprint pattern and thus ignore other differences between a pair of images.

As John Deters answer indicates we may need a set of hash values to at least account for slightly varying positioning of the thumb on the scanner.

Mathematical Models of Fingerprints

schroeder
  • 123,438
  • 55
  • 284
  • 319
polcott
  • 93
  • 6