1

I have a multi-factor web authentication server, that in addition to regular passwords uses fingerprints for user authentication.

Can anyone think of a security flaw in the following scenario:

I have Resource Server that hosts valuable resources, the resource owner must provide his fingerprint to an authentication server to grant access to his/her resources.

Securing the fingerprint data is critical. Before the user can use the system. He must install a web browser plugin. During the plugin installation the plugin connects to the authentication server and obtains a digital certificate from the server (a server public key).

Now when the user goes to the resource server webpage he types his username/password and the web page asks him to scan his fingerprint. Then, the web browser plugin connects to the fingerprint scanner and triggers the scanner to scan the user's fingerprint.

The plugin gets the fingerprint from the scanner and encrypts it using a randomly generated 256 AES key and then encrypts this AES using the authentication server public key.

Then the plugin returns a JSON object containing the encrypted fingerprint and the encrypted AES key. Next a Java script from the resource server login page using AJAX send the JSON object to the resource server. The resource server forwards the JSON object to the Authentication server.

The authentication server decrypts the AES key using its private key and then uses the recovered AES to decrypt the fingerprint data. Finally, it compares the received fingerprint data with the stored fingerprint template and returns the result to the resource server. Based on the result the resource server denies or grants access to the user.

The fingerprint templates on the authentication server are stored in an encrypted database using a 256 AES Key.

Ubaidah
  • 1,054
  • 6
  • 11

2 Answers2

1

The plugin gets the fingerprint from the scanner and encrypts it using a randomly generated 256 AES key and then encrypts this AES using the authentication server public key.

Yeah... the big question is....

Where are you storing the server private key ?

If its on a HSM then great. If not, then there's a nice weak link....

user3083
  • 102
  • 1
  • No I do not use HSM and in fact each installed version of the plugin use a different public key. So if there is n number of plugins installed. Then I have n number of asymmetric key pair, the public at the plugin side and the private at the server side stored in a DB. But what you mean by a weak link? I am not trying to prevent insider attack. I assume if an intruder has physical access to the server then he can compromise the stored fingerprint data – Ubaidah Aug 04 '14 at 19:01
  • 1
    What do I mean by a weak link ? Well, you asked "Can anyone think of a security flaw in the following scenario". If you are not taking proper care of your private key (by storing it in an HSM) then it is open to attack... creating random keys, encrypting data in AES, encrypting those random keys with AES is all well and good... but if you don't take care of your private key, then your security is open to exploit. _"Encryption is easy, key management is very hard"_ as the saying goes ! – user3083 Aug 05 '14 at 06:52
0

  1. "The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system." Bruce Schneier, 2009. A fingerprint reader without the guard watching it is nothing like as secure.

  2. Second, your browser plugin is unproven proprietary software of which the most you can say is that the vendor claims it is secure, & you haven't heard of it being reverse engineered & spoofed ... yet. Is it not?

In a commercial context, I'd look at who carries the risk if the system is hacked. Does the vendor contract offer compensation or insurance? Especially when partial blame attaches to you, e.g. employee left laptop on the train, or a server under your management is hacked.

Aren't physical tokens simpler and much more road-tested for your second factor in preference to biometrics?

Chris F Carroll
  • 131
  • 5