3

The major problem with biometric methods of identification is that they are impossible to revoke. Once my fingerprint, under whichever form, is stolen, I can't put it on a worldwide revocation list, as doing so would block both malicious use and my own legitimate use.

Looking at how easy it is to make a false fingerprint or iris image using a standard printer, I have an idea on how to avoid exposing my personnal attributes to the risk of being stolen.

How technically feasible would it be for anyone to make oneself a proxy identificator built on the following basic procedure :

  1. A good quality random generator builds a unique fingerprint mathematical number, in exchange of presentation of multiple proofs of identity and registration of personal secret information. A unique random fingerprint will be generated as the fingerprint image of a private part of a traditional private-public key.

  2. This unique mathematical design is printed on a solid plastic false finger: a proxy finger with a solid ring to fix it on my key ring. This will be used as a fingerprint image of my private key and used in a traditionnal private-public key pair matching authentication.

  3. I use this proxy finger to identify myself in place of my real finger.

  4. In case my proxy-finger get stolen (physically or through any of its stored verification mechanisms), I declare it as revoked through its unique number on a worldwide revocation list.

  5. GOTO step 1.

dan
  • 3,033
  • 14
  • 34
  • 3
    So you are concerned 'Something you are' can actually be 'Something you have' for the attacker and want to convert it into 'Something you have' that resembles 'Something you are' but with math and PKI added. Suggest focusing on ensuring "Something you are' can not be 'Something you have'. – zedman9991 Sep 20 '13 at 16:26
  • 3
    I'm concerned: I don't want my real finger stolen. – dan Sep 20 '13 at 16:39
  • 3
    A well done biometric authentication will also verify capacitance and pulse in the presented finger. Your "proxy finger" will need to include a pulse and sweat and oil That's a mighty expensive finger. – MCW Sep 20 '13 at 16:53
  • @MarkC.Wallace That seems like a No True Scotsman defense, and a mighty expensive authentication infrastructure. – brianary May 06 '17 at 19:59

4 Answers4

16

The whole point of resorting to biometrics, i.e. taking physical measures out of a body part of the human user, is that the said body part is attached to the user, and cannot be switched at will (it can, unfortunately, be removed, but not really glued back).

It is true that the impossibility to revoke biometrics is an inherent problem, for which no good solution is known (yet). However, if you side-step the issue by using an external device, such as your fake finger, then why do something as crude as imitating a human finger ? It would be much simpler, and much safer, to admit that you are now using device-based security ("something you own" as opposed to "something you have") and make the device a smart card or something similar. This is not even a new idea; for instance, in Japan, they use seals for signatures. Your proxy-finger is just a Japanese seal in the form factor of an Halloween prop.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Yes, some body parts *can* be glued back... [hands](http://www.emoryhealthcare.org/transplant-hand/), [face](http://en.wikipedia.org/wiki/Isabelle_Dinoire) and even... hum... [Bobbit](http://en.wikipedia.org/wiki/John_and_Lorena_Bobbitt) – woliveirajr Sep 20 '13 at 18:07
  • → Thomas, my /fake finger/ is a way to make a joke out of a more than serious problem. To be rude, biometrics Ayatollah make me a total recall of my first Halloween films ;). I deeply appreciate you saw the image behind the text. – dan Sep 21 '13 at 15:04
2

Saying that printed fingerprint will grant you access is like saying that ' OR '1'='1 will do the same with plain old passwords.

Actually, there is a way to protect (and revoke) biometric characteristic. Short and simple, before storing user's bio-data, system can distort it using some kind of non-reversible function. If you want to find out more about it, search for "Cancelable biometrics"

StupidOne
  • 2,802
  • 21
  • 35
  • I thought long time ago of such a protection technic to protect biometric data `bio`. The `bio` value isn't anymore stored but rather it is `f(bio)`. Function `f` being hard to reverse. With a large enough set of `f(bio)`, it is simpler to recover the hidden `bio` value. Hence an attack technic will be to slowly force revocation of `f(bio)` to get a large enough set. With this technic, the `bio` value will be, with perseverance, or mathematical progress, compromised. GOTO original question ;). – dan Sep 21 '13 at 14:53
2

A biometric factor is supposed to be irrevocable; so you need to combine it with a separate revocable authentication factor. For example, Smartcard key + the biometric factor.

As StupidOne mentioned(upvote their answer), you can combine (salt) the factors together before sending to the authentication server, so the server never stores the unchangeable biometric factor. If an attacker steals the aggregate "bio-credential" from a server or network, you can revoke the overall credential (through some side-channel) and introduce a new credential by changing the Smartcard or USB stick ("something you have"). You can keep your existing finger/eyeball.

The important catch with Cancelable Biometrics is that original biometric and salt values must never be stored on their own. Hence all devices in a network supporting revocation must create the salted hash within the on-site hardware. E.g. A fingerprint scanner with a NFC smart card reader.

LateralFractal
  • 5,143
  • 18
  • 41
0

As has been shown many many times, all fingerprint sensors in the market can rather easily be fooled using cheap ingredients that you can buy in any supermarket. So the posts above about using the combination of biometrics with a regular authentication token (such as smart card or very long random passwords), is of course the right one. You can fool the local biometric authentication, but you can revoke the credentials used for remote communication.

http://grahamcluley.com/2013/09/hackers-bypass-iphones-touch-id-fingerprint-scanner/

http://www.puttyworld.com/thinputdeffi.html

http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

primetomas
  • 111
  • 5