6

Imagine I have an application which uses a biometric based authentication (such as a fingerprint). It takes its hash and sends it to the server. The server has a copy of the hash and compares the two.

Now I hack the server and steal the hash. Now I can bypass the fingerprint test. Moreover, let's say the hash wasn't that great (or it was and now computers are faster so I can do a brute force attack). Now I know the fingerprint so I can log into any system which requires it.

Had this been a password we would have been advised to change the password; but in this case what's the victim supposed to do as he can't change his finger ?

John
  • 213
  • 1
  • 2
  • 6
  • You could change the salt used in the hashing algorithm and re-hash when you re-register the user? – schroeder Oct 08 '14 at 21:01
  • If fingerprint is hashed as it's done with passwords, than you would never get the same hash at each scan, bear in mind that "One problem with fingerprints is that the relationships between identifying marks is not guaranteed to be constant between readings" http://security.stackexchange.com/a/42403/21144 – elsadek Oct 08 '14 at 21:41

6 Answers6

4

Your question doesn't actually list the main security problems with biometrics, and the reason that they aren't actually used to secure anything valuable except as an additional mechanism after your normal 2 factors.

1) Biometric signatures are not unique

You can comfortably assume there are many people out there with fingerprints that will match yours to any degree measured by biometric fingerprint systems. This is why police cannot rely on fingerprints as evidence. Same goes for retina scans etc. so all biometric systems are tailored to assume false positives and negatives.

2) You cannot change them easily

Imagine an attacker finds someone with the same fingerprint as you, and you discover this. How do you change your fingerprint so they cannot gain access but you can? Aside from surgery etc. it really is not possible.

3) As John points out in the comment below, biometrics are not secret

So the first line of your question is actually incorrect. Biometric authentication systems are not secure. Instead, when used with a username and password, for example, they can increase the confidence the system has that you are the person you say you are.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • I would add that biometrics are not secret. You leave fingerprints everywhere you go. If you can convince someone to use a compromised reader, you can learn them regardleas of what they are. – John Deters Oct 09 '14 at 02:08
3

It really depends on the level of precision used by the biometric authentication system. Too precise, and it will trigger false rejections; too lax, and it allows other people to log in as you.

The basic method to authenticate a fingerprint uses pattern recognition, example:

fingerprint pattern

followed by defining the centre of the main pattern, and tracking the relative positions of major minutia features such as bifurcations, ridge endings and ridge islands:

minutiae

A simple example using a low precision 10x10 grid with centre as 5,5 would generate a password-like encoding such as:

LB23E75 (loop pattern; bifurcation at 2,3; ridge ending at 7,5)

A complex system would use a high precision grid and extract minor minutia features as well as the major ones, resulting in a longer password-like encoding such as:

LD2988B2336E7251X3011 (loop pattern; delta at 29,88; ridge bifurcation at 23,36; ridge ending at 72,51; crossover at 30,11)

These data points are then salted, hashed and stored in the database.

As each fingerprint authentication system is unique, the same fingerprint can produce different encodings. A high precision encoding is very much the same as a very long password. The longer a password, the harder it is to brute-force. Have you tried brute-forcing a 12-character password hashed with MD5?

Being able to crack the hash of a low precision authentication system and reverse engineer a low quality fingerprint does not gain you access to a higher precision authentication system. In any case, you still have to pass authentication (i.e. produce a "real" fingerprint) even if you are able to extract the hash and crack it.

A much easier way is to lift a fingerprint directly from a person so that all data points can be collected. But then, the success of which also depends on the technology used in the fingerprint sensor together with other forms of authentication in place.

What I haven't mention so far is that some systems (especially the government) do store a scanned image of the fingerprint and authenticate by overlaying and comparing graphically with the captured fingerprint. Such a system, when compromised, can render the entire fingerprint authentication scheme useless.

Question Overflow
  • 5,220
  • 6
  • 27
  • 48
1

Now I hack the server and steal the hash. Now I can bypass the fingerprint test.

No, your reasoning is not correct: we can not bypass the authentication mechanism by simply having the hash (of the fingerprint) because introducing the hash to the machine will produce an other hash different from the one that resides on the server.

In other words:

A hash function is any function that can be used to map digital data of arbitrary size to digital data of fixed size, with slight differences in input data producing very big differences in output data.

enter image description here

  • but you could use the hash in order to create a duplicate print and use that (gelatin and a 3D printer) – schroeder Oct 08 '14 at 20:58
  • @schroeder there is no way to create a duplicate print from the hash, we can do that in the case of cryptography not in the case of hashing function. –  Oct 08 '14 at 21:00
  • rainbow tables? it's not about reversing, but about calculating the collision – schroeder Oct 08 '14 at 21:25
  • @schroeder in that case it depends on the power of the hashing algorithm. –  Oct 09 '14 at 05:44
1

Your fingerprint is left on every space your hand has touched, so it is not something secret as you may think of like a password.
For remote access, you can't rely only on biometric for the authentication, as contrary to onsite access where we have the ability to recognize the person when he uses a service or a device.

elsadek
  • 1,782
  • 2
  • 17
  • 53
0

The security of a biometric authentication system depends on the physical security of the input device. If the attacker has physical control of the input device, they can bypass it by inputting a stolen hash directly; if the device is unmonitored, the attacker can use a fake finger/eye/whatever to input stolen biometric data.

Mark
  • 34,390
  • 9
  • 85
  • 134
-2

Your question can be summarized in few words: I have someone's fingerprint, can I impersonate him and authenticate into a biometric system?

In my opinion you can NOT, I have never dealt with such systems but it cant be that easy to bypass them or the security world would be in total chaos as you can find fingerprints of high profile individuals everywhere. lifting fingerprints from objects is quite easy using kits that is even sold to children these-days

enter image description here

Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • Yes you can impersonate someone by using his biometric: http://www.zdnet.com/apple-iphone-fingerprint-reader-confirmed-as-easy-to-hack-7000021065/ and http://nakedsecurity.sophos.com/2014/04/17/samsung-galaxy-s5-fingerprint-hacked-iphone-5s-all-over-again/ – elsadek Oct 09 '14 at 04:34
  • It _is_ often that easy to bypass them, which is exactly the reason that biometrics are generally considered secure only in a handful of situations (e.g. if there's an armed guard next to the fingerprint reader, which makes it much harder to use a lifted print, or for that matter for a criminal to threaten someone into authenticating for them) – cpast Oct 30 '14 at 17:27